Edge Delta Resource Transform Node

Transform resource fields.

Overview

The Resource Transform node changes or adds source information (resources section) of incoming log items. It supports both Common Expression Language (CEL) and Go templates for evaluating expressions.

Each transformation node is designed for enriching different sections of the data item:

Node Attribute Resource Body Timestamp Any Field Restrictions
Output Transform Y Y Y Y Y Outputs a Custom type data item that cant be ingested by the Edge Delta Archive node. The whole payload is flattened and sent as the event, with all other fields empty.
Log Transform Y N N Y N Can only ingest logs, and it outputs only logs.
Resource Transform N Y N N N Can only ingest logs, and it outputs only logs.
Mask N N Y N N Can only ingest logs, and it outputs only logs. New value can only be a static string.

The body field is protected from dynamic enrichment until the end of the pipeline (Output Transform) to prevent schema changes from disabling pipeline functionality.

Example Configuration

The following configuration will add three fields to the resources data: k8s.container.name, k8s.namespace.name, and k8s.pod.name. The k8s.container.name and k8s.namespace.name values will be extracted from the JSON body of the log. The k8s.pod.name value will be a static value -.

nodes:
- name: resource_transform
  type: resource_transform
  target_source_type: k8s
  source_field_overrides:
  - field: k8s.container.name
    expression: json(item["body"]).kubernetes.container.name
  - field: k8s.namespace.name
    expression: json(item["body"]).kubernetes.namespace
  - field: k8s.pod.name
    expression: '"-"'

Consider the following input log:

{"kubernetes": {"container": {"name": "container-1"}, "namespace": "namespace-a"}}

Suppose it is ingested with the following resource data:

{
  "_type": "log",
  "body": "{\"kubernetes\": {\"container\": {\"name\": \"container-1\"}, \"namespace\": \"namespace-a\"}}",
  "resource": {
    "ed.conf.id": "12345678-1x234-4abc-def5-12345678910g",
    "ed.org.id": "1098765a-432b-1cde-2345-fg6789hij101",
    "ed.tag": "parallel_container",
    "host.ip": "10.0.0.1",
    "host.name": "ED_TEST",
    "src_type": "memory_input"
  },
  "timestamp": 1715691719745
}

After processing by the Resource Transform node, the data item contains additional k8s resource fields.

{
  "_type": "log",
  "body": "{\"kubernetes\": {\"container\": {\"name\": \"container-1\"}, \"namespace\": \"namespace-a\"}}",
  "resource": {
    "container.id": "",
    "container.image.name": "",
    "ed.conf.id": "12345678-1x234-4abc-def5-12345678910g",
    "ed.filepath": "",
    "ed.org.id": "1098765a-432b-1cde-2345-fg6789hij101",
    "ed.tag": "parallel_container",
    "host.ip": "10.0.0.1",
    "host.name": "ED_TEST",
    "k8s.container.name": "container-1",
    "k8s.namespace.name": "namespace-a",
    "k8s.node.name": "",
    "k8s.pod.name": "-",
    "k8s.pod.uid": "",
    "src_type": "K8s"
  },
  "timestamp": 1715691719745
}

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the yaml using the name. It must be unique across all nodes. It is a yaml list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: resource_transform

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

target_source_type

The target_source_type parameter defines the type of source that the logs should reflect in their resource section. It can be docker, k8s, ecs, file, or custom. This determines the required fields in the source_field_overrides section. For Custom, at least one source field override must be defined. A target_source_type is required.

nodes:
- name: <noode name>
  type: resource_transform
  target_source_type: docker | k8s | ecs | file | custom
  source_field_overrides:
  - field: <field name>
    expression: <expression to determine fields value>

source_field_overrides

The source_field_overrides parameter defines the resource fields and the logic for determining their values. It is specified with two child parameters: field and expression. A source_field_overrides is required.

The fields are determined by the target_source_type selected:

docker

  • container.name, container.image.name (Mandatory)
  • container.image.tag (Optional but not defining it can cause loss of information)

ecs:

  • aws.ecs.container.arn (Mandatory)
  • aws.ecs.cluster.arn, aws.ecs.task.family, aws.ecs.task.revision (Optional but not defining them can cause loss of information)

file:

  • ed.filepath (Mandatory)

k8s:

  • k8s.namespace.name, k8s.pod.name, k8s.container.name (Mandatory)
  • k8s.deployment.name, k8s.statefulset.name, k8s.daemonset.name, k8s.replicaset.name, k8s.job.name, k8s.job.name (Optional but not defining them can cause loss of information)

The expression defines the logic to use to determine the values using a CEL macro or Go template. Alternatively, instead of defining a path, you can use “-” to skip a field to decrease cardinality.

nodes:
- name: <noode name>
 type: resource_transform
 target_source_type: docker | k8s | ecs | file | custom
 source_field_overrides:
 - field: <field name>
   expression: <expression to determine fields value>
 - field: <field name>
   expression: <expression to determine fields value>