Edge Delta Unroll JSON Processor
6 minute read
Overview
The JSON Unroll processor transforms structured JSON logs by unrolling nested JSON array objects into separate logs, making the data easier to monitor and analyze. Each output log inherits the top level fields and resources from the source log.
Example Configuration
This example shows how the JSON Unroll processor works with logs containing JSON arrays, preserving the full telemetry context.
This configuration sets the processor to look for JSON data in the telemetry item’s body field, find the events array within that JSON, and unroll it into separate logs. Each array element is placed in a new field called event in the output logs, while preserving all other fields from the original message.
- type: json_unroll
metadata: '{"id":"json-unroll-test","type":"json_unroll","name":"JSON Unroll Test"}'
data_types:
- log
field_path: body
new_field_name: event
json_field_path: events
Input Telemetry Item
When a Kubernetes pod writes this log to stdout:
{
"timestamp": "2025-08-22T00:29:15+00:00",
"iteration": 5,
"events": [
{"id": 51, "action": "start"},
{"id": 52, "action": "process"},
{"id": 53, "action": "complete"}
]
}
The Edge Delta agent’s Kubernetes input source automatically enriches it with metadata during ingestion, creating this telemetry item:
{
"_type": "log",
"timestamp": 1755822556407,
"body": "{\"timestamp\":\"2025-08-22T00:29:15+00:00\",\"iteration\":5,\"events\":[{\"id\":51,\"action\":\"start\"},{\"id\":52,\"action\":\"process\"},{\"id\":53,\"action\":\"complete\"}]}",
"resource": {
"container.id": "0ceeb88a67593c8da7f007fd23e7bf0ee76413909a6a6683357ceb19a60444da",
"container.image.name": "docker.io/library/busybox:latest",
"ed.domain": "k8s",
"ed.filepath": "/var/log/pods/busy_fresh-test-1755822512_a97e2406-a1e8-4cd3-8575-e14702a4b7a9/fresh-test-1755822512/0.log",
"ed.source.name": "kubernetes_input_50df",
"ed.source.type": "kubernetes_input",
"host.ip": "172.19.0.3",
"host.name": "ed-api-control-plane",
"k8s.container.name": "fresh-test-1755822512",
"k8s.namespace.name": "busy",
"k8s.node.name": "ed-api-control-plane",
"k8s.pod.name": "fresh-test-1755822512",
"k8s.pod.uid": "a97e2406-a1e8-4cd3-8575-e14702a4b7a9",
"service.name": "Unknown"
},
"attributes": {}
}
Note: The original JSON log is preserved as a string in the
bodyfield, while Kubernetes metadata is added to theresourceobject.
Output Telemetry Items
The processor generates three separate telemetry items, one for each array element. Note how all resource and attribute information is preserved:
First unrolled telemetry item (start action):
{
"_type": "log",
"timestamp": 1755822556407,
"body": "{\"event\":{\"action\":\"start\",\"id\":51},\"iteration\":5,\"timestamp\":\"2025-08-22T00:29:15+00:00\"}",
"resource": {
"container.id": "0ceeb88a67593c8da7f007fd23e7bf0ee76413909a6a6683357ceb19a60444da",
"container.image.name": "docker.io/library/busybox:latest",
"ed.domain": "k8s",
"ed.filepath": "/var/log/pods/busy_fresh-test-1755822512_a97e2406-a1e8-4cd3-8575-e14702a4b7a9/fresh-test-1755822512/0.log",
"ed.source.name": "kubernetes_input_50df",
"ed.source.type": "kubernetes_input",
"host.ip": "172.19.0.3",
"host.name": "ed-api-control-plane",
"k8s.container.name": "fresh-test-1755822512",
"k8s.namespace.name": "busy",
"k8s.node.name": "ed-api-control-plane",
"k8s.pod.name": "fresh-test-1755822512",
"k8s.pod.uid": "a97e2406-a1e8-4cd3-8575-e14702a4b7a9",
"service.name": "Unknown"
},
"attributes": {
"unrolled": "true"
}
}
Second unrolled telemetry item (process action):
{
"_type": "log",
"timestamp": 1755822556407,
"body": "{\"event\":{\"action\":\"process\",\"id\":52},\"iteration\":5,\"timestamp\":\"2025-08-22T00:29:15+00:00\"}",
"resource": {
"container.id": "0ceeb88a67593c8da7f007fd23e7bf0ee76413909a6a6683357ceb19a60444da",
"container.image.name": "docker.io/library/busybox:latest",
"ed.domain": "k8s",
"ed.filepath": "/var/log/pods/busy_fresh-test-1755822512_a97e2406-a1e8-4cd3-8575-e14702a4b7a9/fresh-test-1755822512/0.log",
"ed.source.name": "kubernetes_input_50df",
"ed.source.type": "kubernetes_input",
"host.ip": "172.19.0.3",
"host.name": "ed-api-control-plane",
"k8s.container.name": "fresh-test-1755822512",
"k8s.namespace.name": "busy",
"k8s.node.name": "ed-api-control-plane",
"k8s.pod.name": "fresh-test-1755822512",
"k8s.pod.uid": "a97e2406-a1e8-4cd3-8575-e14702a4b7a9",
"service.name": "Unknown"
},
"attributes": {
"unrolled": "true"
}
}
Third unrolled telemetry item (complete action):
{
"_type": "log",
"timestamp": 1755822556407,
"body": "{\"event\":{\"action\":\"complete\",\"id\":53},\"iteration\":5,\"timestamp\":\"2025-08-22T00:29:15+00:00\"}",
"resource": {
"container.id": "0ceeb88a67593c8da7f007fd23e7bf0ee76413909a6a6683357ceb19a60444da",
"container.image.name": "docker.io/library/busybox:latest",
"ed.domain": "k8s",
"ed.filepath": "/var/log/pods/busy_fresh-test-1755822512_a97e2406-a1e8-4cd3-8575-e14702a4b7a9/fresh-test-1755822512/0.log",
"ed.source.name": "kubernetes_input_50df",
"ed.source.type": "kubernetes_input",
"host.ip": "172.19.0.3",
"host.name": "ed-api-control-plane",
"k8s.container.name": "fresh-test-1755822512",
"k8s.namespace.name": "busy",
"k8s.node.name": "ed-api-control-plane",
"k8s.pod.name": "fresh-test-1755822512",
"k8s.pod.uid": "a97e2406-a1e8-4cd3-8575-e14702a4b7a9",
"service.name": "Unknown"
},
"attributes": {
"unrolled": "true"
}
}
Key observations:
- The
eventsarray is replaced by an individualeventfield in each output - All other body fields (timestamp, level, message, namespace, service) are preserved
- Complete Kubernetes resource metadata is maintained
- Attributes are fully retained across all unrolled items
- Each unrolled item maintains the same timestamp as the original
Options
condition
The condition parameter contains a conditional phrase of an OTTL statement. It restricts operation of the processor to only data items where the condition is met. Those data items that do not match the condition are passed without processing. You configure it in the interface and an OTTL condition is generated. It is optional. You can select one of the following operators:
| Operator | Name | Description | Example |
|---|---|---|---|
== |
Equal to | Returns true if both values are exactly the same |
attributes["status"] == "OK" |
!= |
Not equal to | Returns true if the values are not the same |
attributes["level"] != "debug" |
> |
Greater than | Returns true if the left value is greater than the right |
attributes["duration_ms"] > 1000 |
>= |
Greater than or equal | Returns true if the left value is greater than or equal to the right |
attributes["score"] >= 90 |
< |
Less than | Returns true if the left value is less than the right |
attributes["load"] < 0.75 |
<= |
Less than or equal | Returns true if the left value is less than or equal to the right |
attributes["retries"] <= 3 |
matches |
Regex match | Returns true if the string matches a regular expression |
isMatch(attributes["name"], ".*\\.name$" |
It is defined in YAML as follows:
- name: _multiprocessor
type: sequence
processors:
- type: <processor type>
condition: attributes["request"]["path"] == "/json/view"
Parse from
This option specifies the field containing the JSON object that needs to be unrolled. It is specified using bracket notation and is optional. If left empty it defaults to body.
JSON Field path
This option specifies the location in the JSON object of the array that needs to be unrolled. It is specified as a string and is optional.
New field name
This parameter specifies the field under which to place the unrolled log contents within the body. It is specified as a string and is optional. If it is left out, the original array’s name will be used.
Final
Determines whether successfully processed data items should continue through the remaining processors in the same processor stack. If final is set to true, data items output by this processor are not passed to subsequent processors within the node—they are instead emitted to downstream nodes in the pipeline (e.g., a destination). Failed items are always passed to the next processor, regardless of this setting.
The UI provides a slider to configure this setting. The default is false. It is defined in YAML as follows:
- name: multiprocessor
type: sequence
processors:
- type: <processor type>
final: true
Keep original telemetry item
Controls whether the original, unmodified telemetry item is preserved after processing. If keep_item is set to true, the processor emits both:
- The original telemetry item (e.g., a log), and
- Any new item generated by the processor (e.g., a metric extracted from the log)
Both items are passed to the next processor in the stack unless final is also set.
Interaction with final
If final: true is enabled, any successfully processed data items, whether original, newly created, or both, exit the processor stack or node immediately. No subsequent processors within the same node are evaluated, although downstream processing elsewhere in the pipeline continues. This means:
- If
keep_item: trueandfinal: true, both the original and processed items bypass the remaining processors in the current node and are forwarded to downstream nodes (such as destinations). - If
keep_item: falseandfinal: true, only the processed item continues beyond this processor, skipping subsequent processors in the stack, and the original item is discarded.
Note: If the data item fails to be processed, final has no effect, the item continues through the remaining processors in the node regardless of the keep_item setting.
The app provides a slider to configure keep_item. The default is false.
- name: ed_gateway_output_a3fa_multiprocessor
type: sequence
processors:
- type: <processor_type>
keep_item: true
final: true
See Also
- For an overview and to understand processor sequence flow, see Processors Overview
- To learn how to configure a processor, see Configure a Processor.
- For optimization strategies, see Best Practices for Edge Delta Processors.
- If you’re new to pipelines, start with the Pipeline Quickstart Overview or learn how to Configure a Pipeline.
- Looking to understand how processors interact with sources and destinations? Visit the Pipeline Overview.