OTTL Quick Reference
Quick reference guide for OTTL syntax, operators, functions, and common patterns in Edge Delta telemetry pipelines.
Statement Syntax
function(target, arguments) where condition
Components:
- function: Editor or converter function name
- target: Field path using bracket notation
- arguments: Values, paths, or nested functions
- where: Optional condition for conditional execution
Path Notation
| Path | Description | Example |
|---|
body | Log body (byte array) | Decode(body, "utf-8") |
attributes["key"] | Attribute field | attributes["user_id"] |
attributes["nested"]["key"] | Nested attribute | attributes["http"]["status"] |
resource["key"] | Resource field | resource["k8s.namespace.name"] |
cache["key"] | Temporary storage | cache["parsed_body"] |
timestamp | Log timestamp (UnixMilli) | set(timestamp, UnixMilli(Now())) |
severity_text | Severity string | set(severity_text, "ERROR") |
Operators
Comparison Operators
| Operator | Description | Example |
|---|
== | Equal | attributes["status"] == "error" |
!= | Not equal | attributes["level"] != "debug" |
> | Greater than | attributes["count"] > 100 |
< | Less than | attributes["score"] < 50 |
>= | Greater or equal | attributes["threshold"] >= 90 |
<= | Less or equal | attributes["retries"] <= 3 |
Logical Operators
Critical: Use lowercase and, or, not. Uppercase causes errors.
| Operator | Description | Example |
|---|
and | Both true | a == 1 and b == 2 |
or | Either true | a == 1 or a == 2 |
not | Negation | not IsMatch(a, "test") |
Editor Functions (Modify Data)
Field Operations
| Function | Syntax | Purpose |
|---|
set | set(target, value) | Set field value |
delete_key | delete_key(map, "key") | Remove single key |
delete_matching_keys | delete_matching_keys(map, "regex") | Remove matching keys |
keep_keys | keep_keys(map, ["k1", "k2"]) | Keep only listed keys |
keep_matching_keys | keep_matching_keys(map, "regex") | Keep matching keys |
Array Operations
| Function | Syntax | Purpose |
|---|
append | append(target, value) | Add to array |
limit | limit(map, count, ["priority"]) | Limit map size |
String Operations
| Function | Syntax | Purpose |
|---|
replace_match | replace_match(target, pattern, replacement) | Replace exact match |
replace_pattern | replace_pattern(target, regex, replacement) | Replace regex match |
replace_all_matches | replace_all_matches(map, pattern, replacement) | Replace in all values |
replace_all_patterns | replace_all_patterns(map, regex, replacement) | Regex replace in all |
truncate_all | truncate_all(map, maxLen) | Truncate all values |
Map Operations
| Function | Syntax | Purpose |
|---|
merge_maps | merge_maps(target, source, "strategy") | Merge maps |
flatten | flatten(map, "prefix", depth) | Flatten nested map |
String Functions
| Function | Syntax | Returns |
|---|
Concat | Concat([val1, val2], sep) | Joined string |
ConvertCase | ConvertCase(str, "upper/lower/snake/camel") | Converted string |
Split | Split(str, delimiter) | String array |
Substring | Substring(str, start, length) | Substring |
Trim | Trim(str) | Trimmed string |
Decode | Decode(bytes, "utf-8") | String from bytes |
Len | Len(str) | Integer length |
HasPrefix | HasPrefix(str, "prefix") | Boolean |
HasSuffix | HasSuffix(str, "suffix") | Boolean |
Pattern Functions
| Function | Syntax | Returns |
|---|
IsMatch | IsMatch(str, "regex") | Boolean |
ExtractPatterns | ExtractPatterns(str, "(?P<name>...)") | Map of captures |
ExtractGrokPatterns | ExtractGrokPatterns(str, "%{PATTERN:name}") | Map of captures |
Parsing Functions
| Function | Syntax | Returns |
|---|
ParseJSON | ParseJSON(str) | Map/any |
ParseKeyValue | ParseKeyValue(str, "=", " ") | Map |
ParseCSV | ParseCSV(str) | String array |
ParseXML | ParseXML(str) | Map |
ParseInt | ParseInt(str, base) | Integer |
Type Conversion
| Function | Syntax | Returns |
|---|
String | String(value) | String |
Int | Int(value) | Integer |
Double | Double(value) | Float |
IsString | IsString(value) | Boolean |
IsInt | IsInt(value) | Boolean |
IsDouble | IsDouble(value) | Boolean |
IsMap | IsMap(value) | Boolean |
IsList | IsList(value) | Boolean |
IsBool | IsBool(value) | Boolean |
Hash Functions
| Function | Syntax | Returns |
|---|
SHA256 | SHA256(str) | Hash string |
SHA1 | SHA1(str) | Hash string |
MD5 | MD5(str) | Hash string |
FNV | FNV(str) | Hash integer |
Murmur3 | Murmur3(str) | Hash integer |
Time Functions
| Function | Syntax | Returns |
|---|
Now | Now() | Current time.Time |
Time | Time(str, format) | Parsed time.Time |
UnixMilli | UnixMilli(time) | Int64 milliseconds |
Duration | Duration(str) | time.Duration |
TruncateTime | TruncateTime(time, duration) | Truncated time |
Year | Year(time) | Integer |
Month | Month(time) | Integer |
Day | Day(time) | Integer |
Hour | Hour(time) | Integer |
Minute | Minute(time) | Integer |
Second | Second(time) | Integer |
Collection Functions
| Function | Syntax | Returns |
|---|
Len | Len(collection) | Integer count |
Keys | Keys(map) | Key array |
Values | Values(map) | Value array |
Sort | Sort(array, order) | Sorted array |
Index | Index(array, idx) | Element at index |
ContainsValue | ContainsValue(map, value) | Boolean |
Utility Functions
| Function | Syntax | Returns |
|---|
Format | Format(template, [args]) | Formatted string |
UUID | UUID() | UUID string |
Hex | Hex(bytes) | Hex string |
URL | URL(str) | URL components map |
UserAgent | UserAgent(str) | UA components map |
Edge Delta Custom Functions
| Function | Syntax | Purpose |
|---|
EDXEncode | EDXEncode(str, "utf-8") | Encode to bytes |
EDXIfElse | EDXIfElse(cond, true_val, false_val) | Ternary expression |
EDXCoalesce | EDXCoalesce(val1, val2, ...) | First non-nil value |
EDXLookup | EDXLookup(table, key) | Lookup table query |
EDXEncrypt | EDXEncrypt(str, key) | Encrypt value |
EDXDecrypt | EDXDecrypt(str, key) | Decrypt value |
EDXParseKeyValue | EDXParseKeyValue(str, opts) | Advanced KV parsing |
edx_code | edx_code(attributes, "script") | JavaScript execution |
edx_delete_keys | edx_delete_keys(map, ["k1", "k2"]) | Delete multiple keys |
edx_keep_keys | edx_keep_keys(map, ["k1", "k2"]) | Keep multiple keys |
edx_delete_matching_keys | edx_delete_matching_keys(map, "regex") | Delete by pattern |
edx_keep_matching_keys | edx_keep_matching_keys(map, "regex") | Keep by pattern |
edx_delete_empty_values | edx_delete_empty_values(map) | Remove empty fields |
edx_map_keys | edx_map_keys(map, mapping) | Rename keys |
Common Patterns
Decode and Parse JSON Body
set(cache["body"], Decode(body, "utf-8"))
set(cache["json"], ParseJSON(cache["body"]))
set(attributes["field"], cache["json"]["field"])
set(attributes, ExtractPatterns(Decode(body, "utf-8"), "(?P<ip>\\d+\\.\\d+\\.\\d+\\.\\d+).*(?P<user>\\w+)"))
Conditional Set
set(attributes["env"], "prod") where resource["k8s.namespace.name"] == "production"
set(attributes["env"], "dev") where attributes["env"] == nil
Mask Sensitive Data
set(cache["body"], Decode(body, "utf-8"))
replace_pattern(cache["body"], "\\b\\d{16}\\b", "****-****-****-****")
set(body, EDXEncode(cache["body"], "utf-8"))
Check Field Existence
set(attributes["has_user"], true) where attributes["user_id"] != nil
set(attributes["has_user"], false) where attributes["user_id"] == nil
Type-Safe Operations
set(attributes["count_int"], Int(attributes["count"])) where IsString(attributes["count"])
set(attributes["upper"], ConvertCase(attributes["name"], "upper")) where IsString(attributes["name"])
Multiple Conditions
set(attributes["alert"], true) where attributes["level"] == "error" and attributes["count"] > 10
set(attributes["skip"], true) where attributes["env"] == "test" or attributes["debug"] == true
Clean Up Fields
delete_matching_keys(attributes, "^debug_.*")
delete_matching_keys(attributes, "^internal_.*")
keep_keys(attributes, ["user_id", "request_id", "status", "duration"])
| Pattern | Description | Example |
|---|
%Y | 4-digit year | 2025 |
%m | 2-digit month | 01 |
%d | 2-digit day | 02 |
%H | 2-digit hour (24h) | 15 |
%M | 2-digit minute | 30 |
%S | 2-digit second | 45 |
%f | Microseconds | 123456 |
%z | Timezone offset | +00:00 |
Common Formats:
- ISO8601:
%Y-%m-%dT%H:%M:%SZ - RFC3339:
%Y-%m-%dT%H:%M:%S.%f%z - Apache:
%d/%b/%Y:%H:%M:%S %z
Duration Units
| Unit | Description | Example |
|---|
h | Hours | "2h" |
m | Minutes | "30m" |
s | Seconds | "45s" |
ms | Milliseconds | "500ms" |
us | Microseconds | "1000us" |
ns | Nanoseconds | "1000000ns" |
Combinations: "2h30m45s", "1h30m", "90s"
Regex Tips
Escape Special Characters
Double-escape backslashes in OTTL strings:
\\d for digit\\s for whitespace\\b for word boundary\\. for literal dot
Named Capture Groups
Use (?P<name>pattern) for ExtractPatterns:
ExtractPatterns(str, "(?P<ip>\\d+\\.\\d+\\.\\d+\\.\\d+)")
Backreferences in Replacements
Use $$1, $$2 for capture group references:
replace_pattern(cache["str"], "(\\d{4})\\d{8}(\\d{4})", "$$1****$$2")
Common Mistakes
| Wrong | Correct | Issue |
|---|
AND | and | Uppercase operators fail |
OR | or | Uppercase operators fail |
&& | and | C-style operators not supported |
\d | \\d | Need double-escape in strings |
$1 | $$1 | Need double-dollar for backreference |
body["field"] | Decode(body, "utf-8") | Body is bytes, not map |
See Also