Your organization uses a prebuilt parser for a complex but stable log source and needs additional fields mapped to UDM. What should you do?

Extending the existing parsing capability is the right approach. A prebuilt parser already handles the complex, stable log source, so you add a parser extension on top of it to extract and map the additional fields into UDM. This keeps the original parsing logic intact and preserves compatibility with vendor updates, while letting you define new field mappings in a separate, upgrade-friendly layer. It minimizes risk because you’re not touching the core parser code, and it keeps maintenance localized to the extension. Building a completely custom parser would duplicate functionality you already rely on and create extra maintenance overhead. Simply applying updates to the prebuilt parser doesn’t address adding new field mappings, and using middleware to alter the data structure adds unnecessary complexity and can disrupt how fields align with UDM. A parser extension gives you the needed flexibility with the least disruption.