edx_map_keys

Learn about the edx_map_keys Edge Delta OTTL extension function.

  2 minute read  

Minimum Agent Version: v1.26.0

edx_map_keys fills a gap in standard OTTL which lacks bulk field renaming capabilities. While OTTL can set and delete individual fields to achieve renaming, it doesn’t provide a way to transform multiple field names according to a schema mapping in a single operation. This Edge Delta extension enables schema normalization by renaming multiple keys at once, which is essential for adapting data to different standards or destination requirements.

Syntax

edx_map_keys(input, current_keys, new_keys, strategy)
  • input: A map (e.g., attributes, resource) whose keys should be mapped to new names.
  • current_keys: An array of current key names to be mapped from.
  • new_keys: An array of new key names to map to (must have the same length as current_keys).
  • strategy: The mapping strategy to use (e.g., “update” to rename keys).

Input

{
  "_type": "log",
  "timestamp": 1735789000000,
  "body": "src_ip=10.0.0.1 dst_ip=192.168.1.100 proto=TCP action=ALLOW bytes=1024",
  "resource": {...},
  "attributes": {
    "curr_schema": ["src_ip", "dst_ip", "proto", "action", "bytes"],
    "new_schema": ["source_address", "destination_address", "protocol", "firewall_action", "byte_count"],
    "decoded_body": "src_ip=10.0.0.1 dst_ip=192.168.1.100 proto=TCP action=ALLOW bytes=1024",
    "kv_map": {
      "src_ip": "10.0.0.1",
      "dst_ip": "192.168.1.100",
      "proto": "TCP",
      "action": "ALLOW",
      "bytes": "1024"
    }
  }
}

Example

edx_map_keys(attributes["kv_map"], attributes["curr_schema"], attributes["new_schema"], "update")

Output

{
  "_type": "log",
  "timestamp": 1735789030000,
  "body": "src_ip=10.0.0.1 dst_ip=192.168.1.100 proto=TCP action=ALLOW bytes=1024",
  "resource": {...},
  "attributes": {
    "curr_schema": ["src_ip", "dst_ip", "proto", "action", "bytes"],
    "new_schema": ["source_address", "destination_address", "protocol", "firewall_action", "byte_count"],
    "decoded_body": "src_ip=10.0.0.1 dst_ip=192.168.1.100 proto=TCP action=ALLOW bytes=1024",
    "kv_map": {
      "source_address": "10.0.0.1",
      "destination_address": "192.168.1.100",
      "protocol": "TCP",
      "firewall_action": "ALLOW",
      "byte_count": "1024"
    }
  }
}

The keys in kv_map have been renamed according to the mapping defined in curr_schema and new_schema. Each key from the current schema has been replaced with its corresponding key from the new schema, enabling seamless schema transformation for data normalization or integration with different systems.