Edge Delta Parse Severity Processor

The Edge Delta parse severity processor parses the severity level from another field.

3 minute read

Overview

The parse severity processor sets the severity_text field in the data item based on a particular field. You can map your expected field values to the set severity_text levels. The input severity level must be a field value so you may need to parse your body first. The severity text is not case sensitive.

For detailed instructions on how to use multiprocessors, see Use Multiprocessors.

Configuration

The severity_text that the Edge Delta application expects are:

trace
debug
info
warn
error
fatal

To configure the parse severity processor you specify the source field and provide the level mapping: In this instance, the source logs have the following severity levels:

Info
Notice
Warning
Error
Critical
Alert
Emergency

They have been parsed into attributes["level"] and they are mapped as follows in the configuration:

Info - info
Notice - info
Warning - warn
Error - error
Critical - error
Alert - fatal
Emergency fatal

YAML version:

- name: Multi Processor
  type: sequence
  processors:
  - type: ottl_transform
    metadata: '{"id":"WZlLxt0gC4VbRiQWfoCmQ","type":"parse-severity","name":"Parse
      Severity Fields"}'
    data_types:
    - log
    statements: |-
      set(cache["lookup"], {"trace": "trace", "debug": "debug", "info": "info", "notice": "info", "warning": "warn", "error": "error", "critical": "error", "fatal": "fatal", "alert": "fatal", "emergency": "fatal"})
      set(severity_text, cache["lookup"][ToLowerCase(attributes["level"])])

Options

condition

The condition parameter contains a conditional phrase of an OTTL statement. It restricts operation of the processor to only data items where the condition is met. Those data items that do not match the condition are passed without processing. You configure it in the interface and an OTTL condition is generated. It is optional. You can select one of the following operators:

Operator	Name	Description	Example
`==`	Equal to	Returns `true` if both values are exactly the same	`attributes["status"] == "OK"`
`!=`	Not equal to	Returns `true` if the values are not the same	`attributes["level"] != "debug"`
`>`	Greater than	Returns `true` if the left value is greater than the right	`attributes["duration_ms"] > 1000`
`>=`	Greater than or equal	Returns `true` if the left value is greater than or equal to the right	`attributes["score"] >= 90`
`<`	Less than	Returns `true` if the left value is less than the right	`attributes["load"] < 0.75`
`<=`	Less than or equal	Returns `true` if the left value is less than or equal to the right	`attributes["retries"] <= 3`
`matches`	Regex match	Returns `true` if the string matches a regular expression	`isMatch(attributes["name"], ".*\\.name$"`

It is defined in YAML as follows:

- name: _multiprocessor
  type: sequence
  processors:
  - type: <processor type>
    condition: attributes["request"]["path"] == "/json/view"

Parse from

Specify the field containing the severity text.

trace

Specify which levels will be assigned to "severity_text": "trace".

debug

Specify which levels will be assigned to "severity_text": "debug".

info

Specify which levels will be assigned to "severity_text": "info".

warn

Specify which levels will be assigned to "severity_text": "warn".

error

Specify which levels will be assigned to "severity_text": error".

fatal

Specify which levels will be assigned to "severity_text": "fatal".

Final

The final parameter specifies whether successfully processed data items should continue to subsequent processors within the same multiprocessor node. Data items that fail to be processed by the processor will be passed to the next processor in the node regardless of this setting. You select the slider in the tool which specifies it for you in the YAML as a Boolean. The default is false and it is optional.

It is defined in YAML as follows:

- name: multiprocessor
  type: sequence
  processors:
    - type: <processor type>
    final: true

Keep original telemetry item

This option defines whether to delete the original unmodified data item after it is processed. For example, you can keep the original log as well as any metrics generated by an extract metric processor. If you select this option your data volume will increase.