edx_delete_keys

Learn about the edx_delete_keys Edge Delta OTTL extension function.

  2 minute read  

Minimum Agent Version: v1.23.0

edx_delete_keys enhances the standard OTTL delete_key function. While the default OTTL function can only delete one key at a time, this Edge Delta extension enables batch deletion of multiple specific keys in a single operation. This is particularly useful when you need to remove several unrelated keys that don’t follow a common pattern, eliminating the need for multiple individual delete operations.

Syntax

edx_delete_keys(input, ["key1", "key2", "key3"])
  • input: A map (e.g., resource or attributes) from which keys are to be deleted.
  • keys: An array of key names to be deleted.

Input

{
  "_type": "log",
  "timestamp": 1735787654284,
  "body": "Firewall_action=block rule_id=R102 rule_name=Block_All_Outgoing user_id=admin user_group=network_admins protocol=TCP severity=high src_ip=10.0.0.1 dst_ip=192.168.1.100",
  "resource": {...},
  "attributes": {
    "decoded_body": "Firewall_action=block rule_id=R102 rule_name=Block_All_Outgoing user_id=admin user_group=network_admins protocol=TCP severity=high src_ip=10.0.0.1 dst_ip=192.168.1.100",
    "kv_map": {
      "Firewall_action": "block",
      "dst_ip": "192.168.1.100",
      "protocol": "TCP",
      "rule_id": "R102",
      "rule_name": "Block_All_Outgoing",
      "severity": "high",
      "src_ip": "10.0.0.1",
      "user_group": "network_admins",
      "user_id": "admin"
    }
  }
}

Example

edx_delete_keys(attributes["kv_map"], ["rule_id", "rule_name", "user_id", "user_group"])

Output

{
  "_type": "log",
  "timestamp": 1735787684654,
  "body": "Firewall_action=block rule_id=R102 rule_name=Block_All_Outgoing user_id=admin user_group=network_admins protocol=TCP severity=high src_ip=10.0.0.1 dst_ip=192.168.1.100",
  "resource": {...},
  "attributes": {
    "decoded_body": "Firewall_action=block rule_id=R102 rule_name=Block_All_Outgoing user_id=admin user_group=network_admins protocol=TCP severity=high src_ip=10.0.0.1 dst_ip=192.168.1.100",
    "kv_map": {
      "Firewall_action": "block",
      "dst_ip": "192.168.1.100",
      "protocol": "TCP",
      "severity": "high",
      "src_ip": "10.0.0.1"
    }
  }
}

The keys rule_id, rule_name, user_id, and user_group have been removed as a batch in a single operation.