Remapper
The remapper transform moves or copies attributes to top-level log event fields (such
as message or eventTimestamp) or to tags. The remapper has predefined default attributes
to read from that can be customized by a user. The UI automatically adds a remapper
to pipelines to transform well-known fields. For more details on using it in the
API.
For example, this event:
{
"id": "ABCDEF",
"timestamp": "",
"message": "",
"severity": "",
"service": "",
"attributes": {
"syslog": {
"severity": "10",
"appname": "test name"
},
"status": "5",
"message": "message 1",
"timestamp": {
"ms_since_epoch": 9001
},
"eventTime": " "
}
}Would be transformed using the default configuration to:
{
"id": "ABCDEF",
"timestamp": "",
"message": "message 1",
"severity": "5",
"service": "test name",
"attributes": {
"syslog": {
"severity": "10",
"appname": "test name"
},
"status": "5",
"timestamp": {
"ms_since_epoch": 9001
},
"eventTime": " "
}
}severityusesstatus: "5"instead ofsyslog.severity: "10"becausestatushas a higher priority in the defaultstatusReservedAttributes.- Also note that
syslog.appname: "test name"was still used, even thoughsyslog.severity: "10"was skipped. - The attribute
messagewas removed because it's marked as removed once remapped. - If the message attribute was
log.message, thenmessagewould have been removed, but it's parentlogwould still exist, even if empty. timestamp: {}andeventTime: " "are not used at all because they are not a non-blank string value.
The following are the default settings:
| Attribute | Removed | Default names |
|---|---|---|
| timestamp | false | "@timestamp", "timestamp", "_timestamp", "Timestamp", "eventTime", "date", "published_date", "syslog.timestamp" |
| host | false | "host", "hostname", "syslog.hostname" |
| service | false | "service", "syslog.appname", "dd.service" |
| status | false | "log.level", "status", "severity", "level", "syslog.severity" |
| message | true | "message", "msg", "log" |
| trace | false | "dd.trace_id", "contextMap.dd.trace_id" |