We’re excited to announce a powerful enhancement now available in QRadar SIEM 7.5.0 Update Pack 12+: Predictive Parsing for Custom Event Properties (CEPs).
What Is It?
Custom Event Properties are essential for extending QRadar’s parsing capabilities, allowing you to extract and use additional fields in rules, searches, and dashboards. With this update, QRadar now brings its Predictive Parsing algorithm—a proven, high-performance technology used in DSMs—into the world of regex-based custom properties.
Why It Matters
Regex is a flexible but resource-intensive method for extracting data. Predictive Parsing intelligently accelerates this process by learning from past events and predicting where to find the data, significantly reducing processing time for CEPs that are enabled for rules, forwarding, and search indexing.
The result?
- Faster event pipeline performance
- Improved efficiency for regex-heavy environments
- Smarter parsing with built-in fallback for edge cases
What You Need to Know
- Predictive Parsing is available in 7.5.0 UP12+.
- It applies to regex-based custom properties that are actively used in the event pipeline.
- You can enable or disable it per property via the Custom Event Properties UI.
Having Issues?
In rare cases—especially with unusual data formats or delimiters—you might notice unexpected parsing results. If that happens:
- Try disabling Predictive Parsing for that specific property.
- Or reach out to QRadar Support for help tuning the parsing behavior.
This enhancement is part of our ongoing commitment to improving QRadar’s performance and flexibility. We encourage you to explore it and share your feedback!
🎥 Want to See It in Action?
Check out our video walkthrough where we explore the benefits of Predictive Parsing and demonstrate how to enable the feature!
Learn More
For a deeper dive into how Predictive Parsing works and how to configure it, see the IBM tech-note here.