Edge Delta Parse JSON Processor

The Edge Delta parse JSON processor parses a JSON field into structured data.

4 minute read

Overview

The parse JSON processor parses a JSON string into an object. You can specify which field to parse and where to place the generated object. The processor performs a conditional transformation based on whether the attributes field is a map or not. If attributes is already a map, the processor will merge the JSON-parsed body into it. If it’s not a map, the processor will replace it completely with the parsed body.

For detailed instructions on how to use multiprocessors, see Use Multiprocessors.

Configuration

Consider this log, which was JSON format before being ingested by the Edge Delta agent:

{
  "_type": "log",
  "timestamp": 1745310871164,
  "body": "{\"timestamp\": \"2025-04-22T08:34:30.147024Z\", \"level\": \"Notice\", \"msg\": \"processing completed with minor issues\", \"user\": {\"email\": \"jane.smith@exampleemail.com\", \"id\": \"6e1bba47-5734-4843-94d8-205a638ec703\", \"name\": \"fd487c15-7e23-493e-92db-762fe63cfbf2\"}, \"request\": {\"ip\": \"172.31.212.225\", \"method\": \"POST\", \"path\": \"/json/view\"}, \"status\": 204, \"response_time_ms\": 466}",
  "resource": {
...
  },
  "attributes": {}

The resource field has been redacted for brevity.

Note the escape characters that have been added by the agent.

This example parses the body and generates the object as an attribute:

This is the YAML version:

- name: Multi Processor
  type: sequence
  processors:
  - type: ottl_transform
    metadata: '{"id":"3MBjcOAJZpSM13rweE6Do","type":"parse-json","name":"Parse JSON"}'
    statements: |-
      merge_maps(attributes, ParseJSON(body), "upsert") where IsMap(attributes)
      set(attributes, ParseJSON(body)) where not IsMap(attributes)

This is the resulting output log:

{
  "_type": "log",
  "timestamp": 1745310871164,
  "body": "{\"timestamp\": \"2025-04-22T08:34:30.147024Z\", \"level\": \"Notice\", \"msg\": \"processing completed with minor issues\", \"user\": {\"email\": \"jane.smith@exampleemail.com\", \"id\": \"6e1bba47-5734-4843-94d8-205a638ec703\", \"name\": \"fd487c15-7e23-493e-92db-762fe63cfbf2\"}, \"request\": {\"ip\": \"172.31.212.225\", \"method\": \"POST\", \"path\": \"/json/view\"}, \"status\": 204, \"response_time_ms\": 466}",
  "resource": {
...
  },
  "attributes": {
    "level": "Notice",
    "msg": "processing completed with minor issues",
    "request": {
      "ip": "172.31.212.225",
      "method": "POST",
      "path": "/json/view"
    },
    "response_time_ms": 466,
    "status": 204,
    "timestamp": "2025-04-22T08:34:30.147024Z",
    "user": {
      "email": "jane.smith@exampleemail.com",
      "id": "6e1bba47-5734-4843-94d8-205a638ec703",
      "name": "fd487c15-7e23-493e-92db-762fe63cfbf2"
    }
  }
}

Options

Select a telemetry type

You can specify, log, metric, trace or all. It is specified using the interface, which generates a YAML list item for you under the data_types parameter. This defines the data item types against which the processor must operate. If data_types is not specified, the default value is all. It is optional.

It is defined in YAML as follows:

- name: multiprocessor
  type: sequence
  processors:
  - type: <processor type>
    data_types:
    - log

condition

The condition parameter contains a conditional phrase of an OTTL statement. It restricts operation of the processor to only data items where the condition is met. Those data items that do not match the condition are passed without processing. You configure it in the interface and an OTTL condition is generated. It is optional. You can select one of the following operators:

Operator	Name	Description	Example
`==`	Equal to	Returns `true` if both values are exactly the same	`attributes["status"] == "OK"`
`!=`	Not equal to	Returns `true` if the values are not the same	`attributes["level"] != "debug"`
`>`	Greater than	Returns `true` if the left value is greater than the right	`attributes["duration_ms"] > 1000`
`>=`	Greater than or equal	Returns `true` if the left value is greater than or equal to the right	`attributes["score"] >= 90`
`<`	Less than	Returns `true` if the left value is less than the right	`attributes["load"] < 0.75`
`<=`	Less than or equal	Returns `true` if the left value is less than or equal to the right	`attributes["retries"] <= 3`
`matches`	Regex match	Returns `true` if the string matches a regular expression	`isMatch(attributes["name"], ".*\\.name$"`

It is defined in YAML as follows:

- name: _multiprocessor
  type: sequence
  processors:
  - type: <processor type>
    condition: attributes["request"]["path"] == "/json/view"

Parse from

Specify the field containing the JSON string data.

Assign to

Specify the field where you want the parsed object to be saved.

Final

The final parameter specifies whether successfully processed data items should continue to subsequent processors within the same multiprocessor node. Data items that fail to be processed by the processor will be passed to the next processor in the node regardless of this setting. You select the slider in the tool which specifies it for you in the YAML as a Boolean. The default is false and it is optional.

It is defined in YAML as follows:

- name: multiprocessor
  type: sequence
  processors:
    - type: <processor type>
    final: true

Keep original telemetry item

This option defines whether to delete the original unmodified data item after it is processed. For example, you can keep the original log as well as any metrics generated by an extract metric processor. If you select this option your data volume will increase.