Remapper

The remapper transform moves or copies attributes to top-level log event fields (such as message or eventTimestamp) or to tags. The remapper has predefined default attributes to read from that can be customized by a user. The UI automatically adds a remapper to pipelines to transform well-known fields. For more details on using it in the API.

For example, this event:

{
    "id": "ABCDEF",
    "timestamp": "",
    "message": "",
    "severity": "",
    "service": "",
    "attributes": {
        "syslog": {
            "severity": "10",
            "appname": "test name"
        },
        "status": "5",
        "message": "message 1",
        "timestamp": {
            "ms_since_epoch": 9001
        },
        "eventTime": " "
    }
}

Would be transformed using the default configuration to:

{
    "id": "ABCDEF",
    "timestamp": "",
    "message": "message 1",
    "severity": "5",
    "service": "test name",
    "attributes": {
        "syslog": {
            "severity": "10",
            "appname": "test name"
        },
        "status": "5",
        "timestamp": {
            "ms_since_epoch": 9001
        },
        "eventTime": " "
    }
}

• severity uses status: "5" instead of syslog.severity: "10" because status has a higher priority in the default statusReservedAttributes.
• Also note that syslog.appname: "test name" was still used, even though syslog.severity: "10" was skipped.
• The attribute message was removed because it’s marked as removed once remapped.
• If the message attribute was log.message, then message would have been removed, but it’s parent log would still exist, even if empty.
• timestamp: {} and eventTime: " " are not used at all because they are not a non-blank string value.

The following are the default settings: