set
3 minute read
Overview
This function is used to explicitly set a telemetry field to a specified value, providing flexibility in updating or assigning values within the telemetry data structure.
Syntax
set(target, value)
- Target: A path expression indicating the telemetry field where the value will be set.
- Value: The value to be assigned to the target. This can be of any data type. If the value resolves to
nil(for example, if it references an unset map value), no action will occur.
Examples
Input
{
"_type": "log",
"attributes": {
"decoded_body": "User's IP address: 192.168.1.xxx; Action: Login attempt.",
"ip_addresses": "192.168.1.xxx, 10.10.10.10, 172.16.0.1"
},
"body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"resource": {
"ed.conf.id": "123456789",
"ed.domain": "pipeline",
"ed.org.id": "987654321",
"ed.source.name": "Kubernetes Source",
"ed.source.type": "memory_input",
"ed.tag": "loggen",
"host.ip": "10.0.0.1",
"host.name": "ED_TEST",
"service.name": "ed-tester",
"src_type": null
},
"timestamp": 1733439280081
}
Statement
set(attributes["host"], resource["host.ip"])
set(attributes["notes"], "comment")
Output
{
"_type": "log",
"attributes": {
"decoded_body": "User's IP address: 192.168.1.xxx; Action: Login attempt.",
"host": "10.0.0.1",
"ip_addresses": "192.168.1.xxx, 10.10.10.10, 172.16.0.1",
"notes": "comment"
},
"body": "User's IP address: 192.168.1.45; Action: Login attempt.",
"resource": {
"ed.conf.id": "123456789",
"ed.domain": "pipeline",
"ed.org.id": "987654321",
"ed.source.name": "Kubernetes Source",
"ed.source.type": "memory_input",
"ed.tag": "loggen",
"host.ip": "10.0.0.1",
"host.name": "ED_TEST",
"service.name": "ed-tester",
"src_type": null
},
"timestamp": 1733439335943
}
In this example, the host field within the attributes object is set to the value from host.ip in resource. In addition, a second statement adds a static string value to notes in attributes.
Preserve types for top-level paths
The attributes, resource, and body paths have expected types that downstream nodes depend on. For example, attributes and resource must be maps so that destinations can index into them with expressions like attributes["splunk_token"] or resource["k8s.namespace.name"].
Setting a top-level path to a different type replaces the entire structure. For example, set(attributes, "") converts attributes from a map to a string. Any downstream node that indexes into attributes then fails with an error such as type: string is not allowed.
Important
To clear all fields while preserving the map type, use an empty map:
set(attributes, {})
Do not use set(attributes, "") or set(resource, ""). This converts the field to a string and breaks any destination or processor that reads from it.
This applies to any destination that uses OTTL expressions to extract values from attributes or resource, including:
- Splunk HEC and Splunk Load Balanced destinations (
token_expression,index_expression) - Elastic destination (
index_expression) - Google Cloud Logging destination (
log_name,resource_type_expression,resource_labels_expression)
Do not set body to empty
Setting the body field to an empty string will cause the log to be dropped by Edge Delta. If you need to clear the body content after extracting data to attributes, use a non-empty placeholder:
// ❌ This causes logs to be dropped
set(body, "")
// ✅ Use a placeholder instead
set(body, EDXEncode("-", "utf-8"))
If you truly want to discard the log, use a filter or route node instead.