Edge Delta Conditional Group Processor
5 minute read
Overview
The conditional group processor groups existing processors and executes them in sequence only if a condition is met. This is different to enabling individual conditions on each processor and is a method for branching the processing logic. You might use this approach if a required condition for a second processor would be removed by a preceding processor.
Configuration
To configure this processor, drag existing processors into it and configure the parent condition. You can order the processors in the execution order. In this example, the extract metric and aggregate metric processors execute on data items where the level attribute is Emergency.
This configuration generates the following YAML:
- name: kubernetes_input_jt1iw_multiprocessor
type: sequence
processors:
- type: sequence
metadata: '{"id":"KhP8KO88Kvhitx9aN_3pQ","type":"sequence","name":"Conditional
Group"}'
condition: attributes["level"] == "Emergency"
processors:
- type: extract_metric
metadata: '{"id":"_rK4ucX4G8oDcrXWwXh2r","type":"extract_metric","name":"Extract
Metric"}'
extract_metric_rules:
- name: status_code
description: A count of each unique status code
unit: "1"
gauge:
value: attributes["status"]
- type: aggregate_metric
metadata: '{"id":"NoQMsANzEU7ltYMb5r1G0","type":"aggregate_metric","name":"Aggregate
Metric"}'
data_types:
- metric
aggregate_metric_rules:
- name: Count per status code
conditions:
- attributes["response_time_ms"] > 2500
interval: 1m0s
aggregation_type: count
Options
condition
The condition parameter contains a conditional phrase of an OTTL statement. It restricts operation of the processor to only data items where the condition is met. Those data items that do not match the condition are passed without processing. You configure it in the interface and an OTTL condition is generated. It is optional.
Important: All conditions must be written on a single line in YAML. Multi-line conditions are not supported.
Comparison Operators
| Operator | Name | Description | Example |
|---|---|---|---|
== |
Equal to | Returns true if both values are exactly the same |
attributes["status"] == "OK" |
!= |
Not equal to | Returns true if the values are not the same |
attributes["level"] != "debug" |
> |
Greater than | Returns true if the left value is greater than the right |
attributes["duration_ms"] > 1000 |
>= |
Greater than or equal | Returns true if the left value is greater than or equal to the right |
attributes["score"] >= 90 |
< |
Less than | Returns true if the left value is less than the right |
attributes["load"] < 0.75 |
<= |
Less than or equal | Returns true if the left value is less than or equal to the right |
attributes["retries"] <= 3 |
matches |
Regex match | Returns true if the string matches a regular expression (generates IsMatch function) |
IsMatch(attributes["name"], ".*\\.log$") |
Logical Operators
Important: Use lowercase and, or, not - uppercase operators will cause errors!
| Operator | Description | Example |
|---|---|---|
and |
Both conditions must be true | attributes["level"] == "ERROR" and attributes["status"] >= 500 |
or |
At least one condition must be true | attributes["log_type"] == "TRAFFIC" or attributes["log_type"] == "THREAT" |
not |
Negates the condition | not regex_match(attributes["path"], "^/health") |
Functions
| Function | Description | Example |
|---|---|---|
regex_match |
Returns true if string matches the pattern |
regex_match(attributes["message"], "ERROR\|FATAL") |
IsMatch |
Alternative regex function (UI generates this from “matches” operator) | IsMatch(attributes["name"], ".*\\.log$") |
Field Existence Checks
| Check | Description | Example |
|---|---|---|
!= nil |
Field exists (not null) | attributes["user_id"] != nil |
== nil |
Field doesn’t exist | attributes["optional_field"] == nil |
!= "" |
Field is not empty string | attributes["message"] != "" |
Common Examples
- name: _multiprocessor
type: sequence
processors:
- type: <processor type>
# Simple equality check
condition: attributes["request"]["path"] == "/json/view"
- type: <processor type>
# Multiple values with OR
condition: attributes["log_type"] == "TRAFFIC" or attributes["log_type"] == "THREAT"
- type: <processor type>
# Excluding multiple values (NOT equal to multiple values)
condition: attributes["log_type"] != "TRAFFIC" and attributes["log_type"] != "THREAT"
- type: <processor type>
# Complex condition with AND/OR/NOT
condition: (attributes["level"] == "ERROR" or attributes["level"] == "FATAL") and attributes["env"] != "test"
- type: <processor type>
# Field existence and value check
condition: attributes["user_id"] != nil and attributes["user_id"] != ""
- type: <processor type>
# Regex matching using regex_match
condition: regex_match(attributes["path"], "^/api/") and not regex_match(attributes["path"], "^/api/health")
- type: <processor type>
# Regex matching using IsMatch
condition: IsMatch(attributes["message"], "ERROR|WARNING") and attributes["env"] == "production"
Common Mistakes to Avoid
# WRONG - Cannot use OR/AND with values directly
condition: attributes["log_type"] != "TRAFFIC" OR "THREAT"
# CORRECT - Must repeat the full comparison
condition: attributes["log_type"] != "TRAFFIC" and attributes["log_type"] != "THREAT"
# WRONG - Uppercase operators
condition: attributes["status"] == "error" AND attributes["level"] == "critical"
# CORRECT - Lowercase operators
condition: attributes["status"] == "error" and attributes["level"] == "critical"
# WRONG - Multi-line conditions
condition: |
attributes["level"] == "ERROR" and
attributes["status"] >= 500
# CORRECT - Single line (even if long)
condition: attributes["level"] == "ERROR" and attributes["status"] >= 500
processors
The processors parameter specifies the processors that are child objects of the multiprocessor or a conditional group processor. They define a processor and all its required parameters. You define it by dragging existing processors onto the Conditional Group. A processors parameter is required for a conditional group processor.
It is defined in YAML as follows:
- name: multiprocessor
type: sequence
processors:
- type: sequence
metadata: '{"id":"KhP8KO88Kvhitx9aN_3pQ","type":"sequence","name":"Conditional
Group"}'
condition: <condition>
processors:
- type: <processor type>
metadata: '<processor metadata>'
<processor configuration>:
- type: <processor type>
metadata: '<processor metadata>'
<processor configuration>:
See Also
- For an overview and to understand processor sequence flow, see Processors Overview
- To learn how to configure a processor, see Configure a Processor.
- For optimization strategies, see Best Practices for Edge Delta Processors.
- If you’re new to pipelines, start with the Pipeline Quickstart Overview or learn how to Configure a Pipeline.
- Looking to understand how processors interact with sources and destinations? Visit the Pipeline Overview.