Troubleshooting Deotel Processor

Solutions for common Deotel processor issues including field type requirements, data preparation, and configuration troubleshooting.

  3 minute read  

Overview

This guide provides solutions for common issues when using the Deotel processor. The Deotel processor extracts core content from OpenTelemetry formatted data, but requires specific data structures to work correctly.

Field Must Be an Object (Map)

The most common issue with Deotel is that the specified field_path must contain an object (map) with key-value pairs. The processor will not work if the field contains arrays, strings, or primitive types.

Common Scenarios and Solutions

String Bodies Containing JSON

Problem: Your body field contains a JSON string that hasn’t been parsed into an object.

Example:

{
  "body": "{\"level\":\"INFO\",\"message\":\"Application started\"}"
}

Solution: Use the Parse JSON processor to parse the JSON string from the body field and assign the parsed object back to the body field:

In the GUI:

  • Add Parse JSON processor
  • Parse from: body (the field containing the JSON string)
  • Assign to: body (where to put the parsed object - replacing the original string)

This generates the following YAML:

processors:
- type: ottl_transform
  metadata: '{"type":"parse-json","name":"Parse JSON"}'
  statements: |-
    merge_maps(body, ParseJSON(body), "upsert") where IsMap(body)
    set(body, ParseJSON(body)) where not IsMap(body)    
- type: deotel
  field_path: body

Result: The parsed JSON becomes an object that Deotel can process:

{
  "level": "INFO",
  "message": "Application started"
}

Array Data from Split Operations

Problem: Your field contains an array (e.g., from using split_log_lines or OTTL split operations).

Example:

{
  "attributes": {
    "PAN-OS": ["log line 1", "log line 2", "log line 3"]
  }
}

Solution: Wrap the array in an object structure before applying Deotel:

processors:
- type: ottl_transform
  statements: |
    # Move array into an object wrapper
    set(attributes["target"]["data"], attributes["PAN-OS"])
    delete_key(attributes, "PAN-OS")    
- type: deotel
  field_path: attributes.target

Alternative Solution: If you have the array in body and need to wrap it:

processors:
- type: ottl_transform
  statements: |
    # Wrap body array in an object structure
    set(attributes["data"]["items"], body) where IsList(body)    
- type: deotel
  field_path: attributes.data

Primitive Values (Strings, Numbers, Booleans)

Problem: Your field contains a simple primitive value rather than an object.

Example:

{
  "body": "Simple log message"
}

Solution: Wrap the primitive value in an object structure:

processors:
- type: ottl_transform
  statements: |
    # Wrap primitive in an object
    set(attributes["wrapper"]["message"], body)    
- type: deotel
  field_path: attributes.wrapper

Result: Creates an object that Deotel can process:

{
  "message": "Simple log message"
}

Working with Complex Scenarios

Preserving Metadata with Non-Object Data

If you need to preserve some OpenTelemetry metadata while working with non-object data:

processors:
- type: ottl_transform
  statements: |
    # Parse body if it's a JSON string
    set(body, ParseJSON(body)) where IsString(body)

    # Add metadata to the body object
    set(body["service"], resource["service.name"]) where IsMap(body)
    set(body["pod"], resource["k8s.pod.name"]) where IsMap(body)
    set(body["host"], resource["host.name"]) where IsMap(body)    
- type: deotel
  field_path: body

Identifying Array vs Object in Live Tail

In the Live Tail view, arrays and objects can look similar. Here’s how to identify them:

Array indicators:

  • Keys are numeric: PAN-OS>0, PAN-OS>1, PAN-OS>2
  • Sequential numbering starting from 0

Object indicators:

  • Keys are strings: PAN-OS>timestamp, PAN-OS>severity, PAN-OS>message
  • Named keys with semantic meaning

Troubleshooting Checklist

When Deotel isn’t working:

  1. Check the field type: Use Live Tail to examine the field structure

    • Look for numeric keys (0, 1, 2) = array
    • Look for string keys = object
    • Single value without keys = primitive

  2. Verify field path: Ensure the field_path points to the correct location

    • Use dot notation for nested fields: attributes.target
    • Check spelling and capitalization

  3. Test with OTTL Transform: Before adding Deotel, verify your data transformation:

    processors:
- type: ottl_transform
  statements: |
    # Your transformation statements    
# Don't add Deotel yet - check Live Tail first

  4. Check Live Tail output: After applying OTTL Transform, verify the field is now an object before adding Deotel

See Also