Skip to Content
TransformsRemapper

Remapper

The remapper transform moves or copies attributes to top-level log event fields (such as message or eventTimestamp) or to tags. The remapper has predefined default attributes to read from that can be customized by a user. The UI automatically adds a remapper to pipelines to transform well-known fields. For more details on using it in the API.

For example, this event:

{ "id": "ABCDEF", "timestamp": "", "message": "", "severity": "", "service": "", "attributes": { "syslog": { "severity": "10", "appname": "test name" }, "status": "5", "message": "message 1", "timestamp": { "ms_since_epoch": 9001 }, "eventTime": " " } }

Would be transformed using the default configuration to:

{ "id": "ABCDEF", "timestamp": "", "message": "message 1", "severity": "5", "service": "test name", "attributes": { "syslog": { "severity": "10", "appname": "test name" }, "status": "5", "timestamp": { "ms_since_epoch": 9001 }, "eventTime": " " } }
  • severity uses status: "5" instead of syslog.severity: "10" because status has a higher priority in the default statusReservedAttributes.
  • Also note that syslog.appname: "test name" was still used, even though syslog.severity: "10" was skipped.
  • The attribute message was removed because it’s marked as removed once remapped.
  • If the message attribute was log.message, then message would have been removed, but it’s parent log would still exist, even if empty.
  • timestamp: {} and eventTime: " " are not used at all because they are not a non-blank string value.

The following are the default settings:

AttributeRemovedDefault names
timestampfalse”@timestamp”, “timestamp”, “_timestamp”, “Timestamp”, “eventTime”, “date”, “published_date”, “syslog.timestamp”
hostfalse”host”, “hostname”, “syslog.hostname”
servicefalse”service”, “syslog.appname”, “dd.service”
statusfalse”log.level”, “status”, “severity”, “level”, “syslog.severity”
messagetrue”message”, “msg”, “log”
tracefalse”dd.trace_id”, “contextMap.dd.trace_id”
Last updated on