ExtractPatterns
Learn about the ExtractPatterns OTTL converter function.
less than a minute
The ExtractPatterns converter extracts regex matches from a string.
Edge Delta Extension Available: EDXExtractPatterns enhances this function by allowing you to use a field reference for the pattern parameter instead of a hardcoded pattern.
Syntax: ExtractPatterns(string, pattern)
- string: the bracket notation location of the string field
- pattern: the regex pattern to use for extraction, including a capture group to name the key.
Input
{
"_type": "log",
"attributes": {
"decoded_body": "error 404 at /home/reports failed"
},
"body": "error 404 at /home/reports failed",
"resource": {
"ed.conf.id": "123456789",
"ed.domain": "pipeline",
"ed.org.id": "987654321",
"ed.source.name": "__ed_dummy_test_input",
"ed.source.type": "memory_input",
"ed.tag": "loggen",
"host.ip": "10.0.0.1",
"host.name": "ED_TEST",
"service.name": "ed-tester",
"src_type": "memory_input"
},
"timestamp": 1733892944490
}
Statement
set(attributes["extracted"], ExtractPatterns(attributes["decoded_body"], "(?P<error_code>\\d{3})"))
Output
{
"_type": "log",
"attributes": {
"decoded_body": "error 404 at /home/reports failed",
"extracted": {
"error_code": "404"
}
},
"body": "error 404 at /home/reports failed",
"resource": {
"ed.conf.id": "123456789",
"ed.domain": "pipeline",
"ed.org.id": "987654321",
"ed.source.name": "__ed_dummy_test_input",
"ed.source.type": "memory_input",
"ed.tag": "loggen",
"host.ip": "10.0.0.1",
"host.name": "ED_TEST",
"service.name": "ed-tester",
"src_type": "memory_input"
},
"timestamp": 1733892979045
}
The statement extracted three consecutive digits from the decoded_body using the named capture group error_code in the regex pattern.