Edge Delta Parse JSON Processor
7 minute read
Overview
The parse JSON processor parses a JSON string into an object. You can specify which field to parse and where to place the generated object. The processor performs a conditional transformation based on whether the attributes field is a map or not. If attributes is already a map, the processor will merge the JSON-parsed body into it. If it’s not a map, the processor will replace it completely with the parsed body.
Configuration
Consider this log, which was JSON format before being ingested by the Edge Delta agent:
{
"_type": "log",
"timestamp": 1745310871164,
"body": "{\"timestamp\": \"2025-04-22T08:34:30.147024Z\", \"level\": \"Notice\", \"msg\": \"processing completed with minor issues\", \"user\": {\"email\": \"jane.smith@exampleemail.com\", \"id\": \"6e1bba47-5734-4843-94d8-205a638ec703\", \"name\": \"fd487c15-7e23-493e-92db-762fe63cfbf2\"}, \"request\": {\"ip\": \"172.31.212.225\", \"method\": \"POST\", \"path\": \"/json/view\"}, \"status\": 204, \"response_time_ms\": 466}",
"resource": {
...
},
"attributes": {}
The resource field has been redacted for brevity.
Note the escape characters that have been added by the agent.
This example parses the body and generates the object as an attribute:
This is the YAML version:
- name: Multi Processor
type: sequence
processors:
- type: ottl_transform
metadata: '{"id":"3MBjcOAJZpSM13rweE6Do","type":"parse-json","name":"Parse JSON"}'
statements: |-
merge_maps(attributes, ParseJSON(body), "upsert") where IsMap(attributes)
set(attributes, ParseJSON(body)) where not IsMap(attributes)
This is the resulting output log:
{
"_type": "log",
"timestamp": 1745310871164,
"body": "{\"timestamp\": \"2025-04-22T08:34:30.147024Z\", \"level\": \"Notice\", \"msg\": \"processing completed with minor issues\", \"user\": {\"email\": \"jane.smith@exampleemail.com\", \"id\": \"6e1bba47-5734-4843-94d8-205a638ec703\", \"name\": \"fd487c15-7e23-493e-92db-762fe63cfbf2\"}, \"request\": {\"ip\": \"172.31.212.225\", \"method\": \"POST\", \"path\": \"/json/view\"}, \"status\": 204, \"response_time_ms\": 466}",
"resource": {
...
},
"attributes": {
"level": "Notice",
"msg": "processing completed with minor issues",
"request": {
"ip": "172.31.212.225",
"method": "POST",
"path": "/json/view"
},
"response_time_ms": 466,
"status": 204,
"timestamp": "2025-04-22T08:34:30.147024Z",
"user": {
"email": "jane.smith@exampleemail.com",
"id": "6e1bba47-5734-4843-94d8-205a638ec703",
"name": "fd487c15-7e23-493e-92db-762fe63cfbf2"
}
}
}
Options
Select a telemetry type
You can specify, log, metric, trace or all. It is specified using the interface, which generates a YAML list item for you under the data_types parameter. This defines the data item types against which the processor must operate. If data_types is not specified, the default value is all. It is optional.
It is defined in YAML as follows:
- name: multiprocessor
type: sequence
processors:
- type: <processor type>
data_types:
- log
condition
The condition parameter contains a conditional phrase of an OTTL statement. It restricts operation of the processor to only data items where the condition is met. Those data items that do not match the condition are passed without processing. You configure it in the interface and an OTTL condition is generated. It is optional.
Important: All conditions must be written on a single line in YAML. Multi-line conditions are not supported.
Comparison Operators
| Operator | Name | Description | Example |
|---|---|---|---|
== |
Equal to | Returns true if both values are exactly the same |
attributes["status"] == "OK" |
!= |
Not equal to | Returns true if the values are not the same |
attributes["level"] != "debug" |
> |
Greater than | Returns true if the left value is greater than the right |
attributes["duration_ms"] > 1000 |
>= |
Greater than or equal | Returns true if the left value is greater than or equal to the right |
attributes["score"] >= 90 |
< |
Less than | Returns true if the left value is less than the right |
attributes["load"] < 0.75 |
<= |
Less than or equal | Returns true if the left value is less than or equal to the right |
attributes["retries"] <= 3 |
matches |
Regex match | Returns true if the string matches a regular expression (generates IsMatch function) |
IsMatch(attributes["name"], ".*\\.log$") |
Logical Operators
Important: Use lowercase and, or, not - uppercase operators will cause errors!
| Operator | Description | Example |
|---|---|---|
and |
Both conditions must be true | attributes["level"] == "ERROR" and attributes["status"] >= 500 |
or |
At least one condition must be true | attributes["log_type"] == "TRAFFIC" or attributes["log_type"] == "THREAT" |
not |
Negates the condition | not regex_match(attributes["path"], "^/health") |
Functions
| Function | Description | Example |
|---|---|---|
regex_match |
Returns true if string matches the pattern |
regex_match(attributes["message"], "ERROR\|FATAL") |
IsMatch |
Alternative regex function (UI generates this from “matches” operator) | IsMatch(attributes["name"], ".*\\.log$") |
Field Existence Checks
| Check | Description | Example |
|---|---|---|
!= nil |
Field exists (not null) | attributes["user_id"] != nil |
== nil |
Field doesn’t exist | attributes["optional_field"] == nil |
!= "" |
Field is not empty string | attributes["message"] != "" |
Common Examples
- name: _multiprocessor
type: sequence
processors:
- type: <processor type>
# Simple equality check
condition: attributes["request"]["path"] == "/json/view"
- type: <processor type>
# Multiple values with OR
condition: attributes["log_type"] == "TRAFFIC" or attributes["log_type"] == "THREAT"
- type: <processor type>
# Excluding multiple values (NOT equal to multiple values)
condition: attributes["log_type"] != "TRAFFIC" and attributes["log_type"] != "THREAT"
- type: <processor type>
# Complex condition with AND/OR/NOT
condition: (attributes["level"] == "ERROR" or attributes["level"] == "FATAL") and attributes["env"] != "test"
- type: <processor type>
# Field existence and value check
condition: attributes["user_id"] != nil and attributes["user_id"] != ""
- type: <processor type>
# Regex matching using regex_match
condition: regex_match(attributes["path"], "^/api/") and not regex_match(attributes["path"], "^/api/health")
- type: <processor type>
# Regex matching using IsMatch
condition: IsMatch(attributes["message"], "ERROR|WARNING") and attributes["env"] == "production"
Common Mistakes to Avoid
# WRONG - Cannot use OR/AND with values directly
condition: attributes["log_type"] != "TRAFFIC" OR "THREAT"
# CORRECT - Must repeat the full comparison
condition: attributes["log_type"] != "TRAFFIC" and attributes["log_type"] != "THREAT"
# WRONG - Uppercase operators
condition: attributes["status"] == "error" AND attributes["level"] == "critical"
# CORRECT - Lowercase operators
condition: attributes["status"] == "error" and attributes["level"] == "critical"
# WRONG - Multi-line conditions
condition: |
attributes["level"] == "ERROR" and
attributes["status"] >= 500
# CORRECT - Single line (even if long)
condition: attributes["level"] == "ERROR" and attributes["status"] >= 500
Parse from
Specify the field containing the JSON string data.
Assign to
Specify the field where you want the parsed object to be saved.
Final
Determines whether successfully processed data items should continue through the remaining processors in the same processor stack. If final is set to true, data items output by this processor are not passed to subsequent processors within the node—they are instead emitted to downstream nodes in the pipeline (e.g., a destination). Failed items are always passed to the next processor, regardless of this setting.
The UI provides a slider to configure this setting. The default is false. It is defined in YAML as follows:
- name: multiprocessor
type: sequence
processors:
- type: <processor type>
final: true
Keep original telemetry item
Controls whether the original, unmodified telemetry item is preserved after processing. If keep_item is set to true, the processor emits both:
- The original telemetry item (e.g., a log), and
- Any new item generated by the processor (e.g., a metric extracted from the log)
Both items are passed to the next processor in the stack unless final is also set.
Interaction with final
If final: true is enabled, any successfully processed data items, whether original, newly created, or both, exit the processor stack or node immediately. No subsequent processors within the same node are evaluated, although downstream processing elsewhere in the pipeline continues. This means:
- If
keep_item: trueandfinal: true, both the original and processed items bypass the remaining processors in the current node and are forwarded to downstream nodes (such as destinations). - If
keep_item: falseandfinal: true, only the processed item continues beyond this processor, skipping subsequent processors in the stack, and the original item is discarded.
Note: If the data item fails to be processed, final has no effect, the item continues through the remaining processors in the node regardless of the keep_item setting.
The app provides a slider to configure keep_item. The default is false.
- name: ed_gateway_output_a3fa_multiprocessor
type: sequence
processors:
- type: <processor_type>
keep_item: true
final: true
See Also
- For an overview and to understand processor sequence flow, see Processors Overview
- To learn how to configure a processor, see Configure a Processor.
- For optimization strategies, see Best Practices for Edge Delta Processors.
- If you’re new to pipelines, start with the Pipeline Quickstart Overview or learn how to Configure a Pipeline.
- Looking to understand how processors interact with sources and destinations? Visit the Pipeline Overview.