Les pipelines et les processeurs fonctionnent sur les logs entrants : ils effectuent le parsing de ces logs et les transforment en attributs structurés pour faciliter les requêtes.
Consultez la [page de configuration des pipelines] (https://app.datadoghq.com/logs/pipelines) pour obtenir une liste des pipelines et des processeurs actuellement configurés dans l’interface utilisateur Web.
Remarque : ces endpoints sont uniquement disponibles pour les utilisateurs admin. Veillez à utiliser une clé d’application créée par un admin.
Les règles de parsing Grok peuvent affecter la sortie JSON et nécessitent de configurer les données renvoyées avant leur utilisation dans une requête.
Par exemple, si vous utilisez les données renvoyées par une requête dans un autre corps de requête, et que vous avez une règle de parsing qui utilise une expression regex comme \s pour les espaces, vous devrez configurer tous les espaces échappés en tant que %{space} pour utiliser les données.
"""
Get pipeline order returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.logs_pipelines_apiimportLogsPipelinesApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=LogsPipelinesApi(api_client)response=api_instance.get_logs_pipeline_order()print(response)
# Get pipeline order returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newpapi_instance.get_logs_pipeline_order()
// Get pipeline order returns "OK" responsepackagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.GetLogsPipelineOrder(ctx)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.GetLogsPipelineOrder`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.GetLogsPipelineOrder`:\n%s\n",responseContent)}
// Get pipeline order returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.LogsPipelinesApi;importcom.datadog.api.client.v1.model.LogsPipelinesOrder;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();LogsPipelinesApiapiInstance=newLogsPipelinesApi(defaultClient);try{LogsPipelinesOrderresult=apiInstance.getLogsPipelineOrder();System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling LogsPipelinesApi#getLogsPipelineOrder");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get pipeline order returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_logs_pipelines::LogsPipelinesAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=LogsPipelinesAPI::with_config(configuration);letresp=api.get_logs_pipeline_order().await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Get pipeline order returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);apiInstance.getLogsPipelineOrder().then((data: v1.LogsPipelinesOrder)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Mettez à jour la séquence de vos pipelines. Les logs étant traités de manière séquentielle, la réorganisation d’un pipeline peut changer la structure et le contenu des données traitées par les autres pipelines et leurs processeurs.
Remarque : la méthode PUT permet de mettre à jour la séquence des pipelines en remplaçant votre séquence actuelle par la nouvelle, envoyée à votre organisation Datadog.
This endpoint requires the logs_write_pipelines permission.
Requête
Body Data (required)
Objet contenant la nouvelle liste triée des ID de pipeline.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Update pipeline order returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiUpdateLogsPipelineOrderRequest={body:{pipelineIds:["tags","org_ids","products"],},};apiInstance.updateLogsPipelineOrder(params).then((data: v1.LogsPipelinesOrder)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
Use the span remapper processor to define a log attribute as its associated span ID.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources
[string]
Array of source attributes.
default: dd.span_id
type [required]
enum
Type of logs span remapper.
Allowed enum values: span-id-remapper
default: span-id-remapper
Option 18
object
A processor for extracting, aggregating, or transforming values from JSON arrays within your logs.
Supported operations are:
Select value from matching element
Compute array length
Append a value to an array
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
operation [required]
<oneOf>
Configuration of the array processor operation to perform.
Option 1
object
Operation that appends a value to a target array attribute.
preserve_source
boolean
Remove or preserve the remapped source element.
default: true
source [required]
string
Attribute path containing the value to append.
target [required]
string
Attribute path of the array to append to.
type [required]
enum
Operation type.
Allowed enum values: append
Option 2
object
Operation that computes the length of a source array and stores the result in the target attribute.
source [required]
string
Attribute path of the array to measure.
target [required]
string
Attribute that receives the computed length.
type [required]
enum
Operation type.
Allowed enum values: length
Option 3
object
Operation that finds an object in a source array using a filter, and then extracts a specific value into the target attribute.
filter [required]
string
Filter condition expressed as key:value used to find the matching element.
source [required]
string
Attribute path of the array to search into.
target [required]
string
Attribute that receives the extracted value.
type [required]
enum
Operation type.
Allowed enum values: select
value_to_extract [required]
string
Key of the value to extract from the matching element.
type [required]
enum
Type of logs array processor.
Allowed enum values: array-processor
default: array-processor
Option 19
object
The decoder processor decodes any source attribute containing a
base64/base16-encoded UTF-8/ASCII string back to its original value, storing the
result in a target attribute.
binary_to_text_encoding [required]
enum
The encoding used to represent the binary data.
Allowed enum values: base64,base16
input_representation [required]
enum
The original representation of input string.
Allowed enum values: utf_8,integer
is_enabled
boolean
Whether the processor is enabled.
name
string
Name of the processor.
source [required]
string
Name of the log attribute with the encoded data.
target [required]
string
Name of the log attribute that contains the decoded data.
type [required]
enum
Type of logs decoder processor.
Allowed enum values: decoder-processor
default: decoder-processor
Option 20
object
A processor that has additional validations and checks for a given schema. Currently supported schema types include OCSF.
is_enabled
boolean
Whether or not the processor is enabled.
mappers [required]
[ <oneOf>]
The LogsSchemaProcessormappers.
Option 1
object
The schema remapper maps source log fields to their correct fields.
name [required]
string
Name of the logs schema remapper.
override_on_conflict
boolean
Override or not the target element if already set.
preserve_source
boolean
Remove or preserve the remapped source element.
sources [required]
[string]
Array of source attributes.
target [required]
string
Target field to map log source field to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
type [required]
enum
Type of logs schema remapper.
Allowed enum values: schema-remapper
Option 2
object
Use the Schema Category Mapper to categorize log event into enum fields.
In the case of OCSF, they can be used to map sibling fields which are composed of an ID and a name.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Categories are executed in order and processing stops at the first match.
Make sure categories are properly ordered in case a log could match multiple queries.
Sibling fields always have a numerical ID field and a human-readable string name.
A fallback section handles cases where the name or ID value matches a specific value.
If the name matches "Other" or the ID matches 99, the value of the sibling name field will be pulled from a source field from the original log.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter [required]
object
Filter for logs.
query
string
The filter query.
id [required]
int64
ID to inject into the category.
name [required]
string
Value to assign to target schema field.
fallback
object
Used to override hardcoded category values with a value pulled from a source attribute on the log.
sources
object
Fallback sources used to populate value of field.
<any-key>
[string]
values
object
Values that define when the fallback is used.
<any-key>
string
name [required]
string
Name of the logs schema category mapper.
targets [required]
object
Name of the target attributes which value is defined by the matching category.
id
string
ID of the field to map log attributes to.
name
string
Name of the field to map log attributes to.
type [required]
enum
Type of logs schema category mapper.
Allowed enum values: schema-category-mapper
name [required]
string
Name of the processor.
schema [required]
object
Configuration of the schema data to use.
class_name [required]
string
Class name of the schema to use.
class_uid [required]
int64
Class UID of the schema to use.
profiles
[string]
Optional list of profiles to modify the schema.
schema_type [required]
string
Type of schema to use.
version [required]
string
Version of the schema to use.
type [required]
enum
Type of logs schema processor.
Allowed enum values: schema-processor
"""
Get all pipelines returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.logs_pipelines_apiimportLogsPipelinesApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=LogsPipelinesApi(api_client)response=api_instance.list_logs_pipelines()print(response)
# Get all pipelines returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newpapi_instance.list_logs_pipelines()
// Get all pipelines returns "OK" responsepackagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.ListLogsPipelines(ctx)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.ListLogsPipelines`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.ListLogsPipelines`:\n%s\n",responseContent)}
// Get all pipelines returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.LogsPipelinesApi;importcom.datadog.api.client.v1.model.LogsPipeline;importjava.util.List;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();LogsPipelinesApiapiInstance=newLogsPipelinesApi(defaultClient);try{List<LogsPipeline>result=apiInstance.listLogsPipelines();System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling LogsPipelinesApi#listLogsPipelines");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get all pipelines returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_logs_pipelines::LogsPipelinesAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=LogsPipelinesAPI::with_config(configuration);letresp=api.list_logs_pipelines().await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Get all pipelines returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);apiInstance.listLogsPipelines().then((data: v1.LogsPipeline[])=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
Use the span remapper processor to define a log attribute as its associated span ID.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources
[string]
Array of source attributes.
default: dd.span_id
type [required]
enum
Type of logs span remapper.
Allowed enum values: span-id-remapper
default: span-id-remapper
Option 18
object
A processor for extracting, aggregating, or transforming values from JSON arrays within your logs.
Supported operations are:
Select value from matching element
Compute array length
Append a value to an array
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
operation [required]
<oneOf>
Configuration of the array processor operation to perform.
Option 1
object
Operation that appends a value to a target array attribute.
preserve_source
boolean
Remove or preserve the remapped source element.
default: true
source [required]
string
Attribute path containing the value to append.
target [required]
string
Attribute path of the array to append to.
type [required]
enum
Operation type.
Allowed enum values: append
Option 2
object
Operation that computes the length of a source array and stores the result in the target attribute.
source [required]
string
Attribute path of the array to measure.
target [required]
string
Attribute that receives the computed length.
type [required]
enum
Operation type.
Allowed enum values: length
Option 3
object
Operation that finds an object in a source array using a filter, and then extracts a specific value into the target attribute.
filter [required]
string
Filter condition expressed as key:value used to find the matching element.
source [required]
string
Attribute path of the array to search into.
target [required]
string
Attribute that receives the extracted value.
type [required]
enum
Operation type.
Allowed enum values: select
value_to_extract [required]
string
Key of the value to extract from the matching element.
type [required]
enum
Type of logs array processor.
Allowed enum values: array-processor
default: array-processor
Option 19
object
The decoder processor decodes any source attribute containing a
base64/base16-encoded UTF-8/ASCII string back to its original value, storing the
result in a target attribute.
binary_to_text_encoding [required]
enum
The encoding used to represent the binary data.
Allowed enum values: base64,base16
input_representation [required]
enum
The original representation of input string.
Allowed enum values: utf_8,integer
is_enabled
boolean
Whether the processor is enabled.
name
string
Name of the processor.
source [required]
string
Name of the log attribute with the encoded data.
target [required]
string
Name of the log attribute that contains the decoded data.
type [required]
enum
Type of logs decoder processor.
Allowed enum values: decoder-processor
default: decoder-processor
Option 20
object
A processor that has additional validations and checks for a given schema. Currently supported schema types include OCSF.
is_enabled
boolean
Whether or not the processor is enabled.
mappers [required]
[ <oneOf>]
The LogsSchemaProcessormappers.
Option 1
object
The schema remapper maps source log fields to their correct fields.
name [required]
string
Name of the logs schema remapper.
override_on_conflict
boolean
Override or not the target element if already set.
preserve_source
boolean
Remove or preserve the remapped source element.
sources [required]
[string]
Array of source attributes.
target [required]
string
Target field to map log source field to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
type [required]
enum
Type of logs schema remapper.
Allowed enum values: schema-remapper
Option 2
object
Use the Schema Category Mapper to categorize log event into enum fields.
In the case of OCSF, they can be used to map sibling fields which are composed of an ID and a name.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Categories are executed in order and processing stops at the first match.
Make sure categories are properly ordered in case a log could match multiple queries.
Sibling fields always have a numerical ID field and a human-readable string name.
A fallback section handles cases where the name or ID value matches a specific value.
If the name matches "Other" or the ID matches 99, the value of the sibling name field will be pulled from a source field from the original log.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter [required]
object
Filter for logs.
query
string
The filter query.
id [required]
int64
ID to inject into the category.
name [required]
string
Value to assign to target schema field.
fallback
object
Used to override hardcoded category values with a value pulled from a source attribute on the log.
sources
object
Fallback sources used to populate value of field.
<any-key>
[string]
values
object
Values that define when the fallback is used.
<any-key>
string
name [required]
string
Name of the logs schema category mapper.
targets [required]
object
Name of the target attributes which value is defined by the matching category.
id
string
ID of the field to map log attributes to.
name
string
Name of the field to map log attributes to.
type [required]
enum
Type of logs schema category mapper.
Allowed enum values: schema-category-mapper
name [required]
string
Name of the processor.
schema [required]
object
Configuration of the schema data to use.
class_name [required]
string
Class name of the schema to use.
class_uid [required]
int64
Class UID of the schema to use.
profiles
[string]
Optional list of profiles to modify the schema.
schema_type [required]
string
Type of schema to use.
version [required]
string
Version of the schema to use.
type [required]
enum
Type of logs schema processor.
Allowed enum values: schema-processor
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
Use the span remapper processor to define a log attribute as its associated span ID.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources
[string]
Array of source attributes.
default: dd.span_id
type [required]
enum
Type of logs span remapper.
Allowed enum values: span-id-remapper
default: span-id-remapper
Option 18
object
A processor for extracting, aggregating, or transforming values from JSON arrays within your logs.
Supported operations are:
Select value from matching element
Compute array length
Append a value to an array
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
operation [required]
<oneOf>
Configuration of the array processor operation to perform.
Option 1
object
Operation that appends a value to a target array attribute.
preserve_source
boolean
Remove or preserve the remapped source element.
default: true
source [required]
string
Attribute path containing the value to append.
target [required]
string
Attribute path of the array to append to.
type [required]
enum
Operation type.
Allowed enum values: append
Option 2
object
Operation that computes the length of a source array and stores the result in the target attribute.
source [required]
string
Attribute path of the array to measure.
target [required]
string
Attribute that receives the computed length.
type [required]
enum
Operation type.
Allowed enum values: length
Option 3
object
Operation that finds an object in a source array using a filter, and then extracts a specific value into the target attribute.
filter [required]
string
Filter condition expressed as key:value used to find the matching element.
source [required]
string
Attribute path of the array to search into.
target [required]
string
Attribute that receives the extracted value.
type [required]
enum
Operation type.
Allowed enum values: select
value_to_extract [required]
string
Key of the value to extract from the matching element.
type [required]
enum
Type of logs array processor.
Allowed enum values: array-processor
default: array-processor
Option 19
object
The decoder processor decodes any source attribute containing a
base64/base16-encoded UTF-8/ASCII string back to its original value, storing the
result in a target attribute.
binary_to_text_encoding [required]
enum
The encoding used to represent the binary data.
Allowed enum values: base64,base16
input_representation [required]
enum
The original representation of input string.
Allowed enum values: utf_8,integer
is_enabled
boolean
Whether the processor is enabled.
name
string
Name of the processor.
source [required]
string
Name of the log attribute with the encoded data.
target [required]
string
Name of the log attribute that contains the decoded data.
type [required]
enum
Type of logs decoder processor.
Allowed enum values: decoder-processor
default: decoder-processor
Option 20
object
A processor that has additional validations and checks for a given schema. Currently supported schema types include OCSF.
is_enabled
boolean
Whether or not the processor is enabled.
mappers [required]
[ <oneOf>]
The LogsSchemaProcessormappers.
Option 1
object
The schema remapper maps source log fields to their correct fields.
name [required]
string
Name of the logs schema remapper.
override_on_conflict
boolean
Override or not the target element if already set.
preserve_source
boolean
Remove or preserve the remapped source element.
sources [required]
[string]
Array of source attributes.
target [required]
string
Target field to map log source field to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
type [required]
enum
Type of logs schema remapper.
Allowed enum values: schema-remapper
Option 2
object
Use the Schema Category Mapper to categorize log event into enum fields.
In the case of OCSF, they can be used to map sibling fields which are composed of an ID and a name.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Categories are executed in order and processing stops at the first match.
Make sure categories are properly ordered in case a log could match multiple queries.
Sibling fields always have a numerical ID field and a human-readable string name.
A fallback section handles cases where the name or ID value matches a specific value.
If the name matches "Other" or the ID matches 99, the value of the sibling name field will be pulled from a source field from the original log.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter [required]
object
Filter for logs.
query
string
The filter query.
id [required]
int64
ID to inject into the category.
name [required]
string
Value to assign to target schema field.
fallback
object
Used to override hardcoded category values with a value pulled from a source attribute on the log.
sources
object
Fallback sources used to populate value of field.
<any-key>
[string]
values
object
Values that define when the fallback is used.
<any-key>
string
name [required]
string
Name of the logs schema category mapper.
targets [required]
object
Name of the target attributes which value is defined by the matching category.
id
string
ID of the field to map log attributes to.
name
string
Name of the field to map log attributes to.
type [required]
enum
Type of logs schema category mapper.
Allowed enum values: schema-category-mapper
name [required]
string
Name of the processor.
schema [required]
object
Configuration of the schema data to use.
class_name [required]
string
Class name of the schema to use.
class_uid [required]
int64
Class UID of the schema to use.
profiles
[string]
Optional list of profiles to modify the schema.
schema_type [required]
string
Type of schema to use.
version [required]
string
Version of the schema to use.
type [required]
enum
Type of logs schema processor.
Allowed enum values: schema-processor
// Create a pipeline with Array Processor Append Operation returns "OK" responsepackagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){body:=datadogV1.LogsPipeline{Filter:&datadogV1.LogsFilter{Query:datadog.PtrString("source:python"),},Name:"testPipelineArrayAppend",Processors:[]datadogV1.LogsProcessor{datadogV1.LogsProcessor{LogsArrayProcessor:&datadogV1.LogsArrayProcessor{Type:datadogV1.LOGSARRAYPROCESSORTYPE_ARRAY_PROCESSOR,IsEnabled:datadog.PtrBool(true),Name:datadog.PtrString("append_ip_to_array"),Operation:datadogV1.LogsArrayProcessorOperation{LogsArrayProcessorOperationAppend:&datadogV1.LogsArrayProcessorOperationAppend{Type:datadogV1.LOGSARRAYPROCESSOROPERATIONAPPENDTYPE_APPEND,Source:"network.client.ip",Target:"sourceIps",}},}},},Tags:[]string{},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.CreateLogsPipeline(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.CreateLogsPipeline`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.CreateLogsPipeline`:\n%s\n",responseContent)}
// Create a pipeline with Array Processor Append Operation with preserve_source false returns "OK" responsepackagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){body:=datadogV1.LogsPipeline{Filter:&datadogV1.LogsFilter{Query:datadog.PtrString("source:python"),},Name:"testPipelineArrayAppendNoPreserve",Processors:[]datadogV1.LogsProcessor{datadogV1.LogsProcessor{LogsArrayProcessor:&datadogV1.LogsArrayProcessor{Type:datadogV1.LOGSARRAYPROCESSORTYPE_ARRAY_PROCESSOR,IsEnabled:datadog.PtrBool(true),Name:datadog.PtrString("append_ip_and_remove_source"),Operation:datadogV1.LogsArrayProcessorOperation{LogsArrayProcessorOperationAppend:&datadogV1.LogsArrayProcessorOperationAppend{Type:datadogV1.LOGSARRAYPROCESSOROPERATIONAPPENDTYPE_APPEND,Source:"network.client.ip",Target:"sourceIps",PreserveSource:datadog.PtrBool(false),}},}},},Tags:[]string{},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.CreateLogsPipeline(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.CreateLogsPipeline`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.CreateLogsPipeline`:\n%s\n",responseContent)}
// Create a pipeline with Array Processor Append Operation with preserve_source true returns "OK" responsepackagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){body:=datadogV1.LogsPipeline{Filter:&datadogV1.LogsFilter{Query:datadog.PtrString("source:python"),},Name:"testPipelineArrayAppendPreserve",Processors:[]datadogV1.LogsProcessor{datadogV1.LogsProcessor{LogsArrayProcessor:&datadogV1.LogsArrayProcessor{Type:datadogV1.LOGSARRAYPROCESSORTYPE_ARRAY_PROCESSOR,IsEnabled:datadog.PtrBool(true),Name:datadog.PtrString("append_ip_and_keep_source"),Operation:datadogV1.LogsArrayProcessorOperation{LogsArrayProcessorOperationAppend:&datadogV1.LogsArrayProcessorOperationAppend{Type:datadogV1.LOGSARRAYPROCESSOROPERATIONAPPENDTYPE_APPEND,Source:"network.client.ip",Target:"sourceIps",PreserveSource:datadog.PtrBool(true),}},}},},Tags:[]string{},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.CreateLogsPipeline(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.CreateLogsPipeline`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.CreateLogsPipeline`:\n%s\n",responseContent)}
# Create a pipeline with Array Processor Append Operation returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newbody=DatadogAPIClient::V1::LogsPipeline.new({filter:DatadogAPIClient::V1::LogsFilter.new({query:"source:python",}),name:"testPipelineArrayAppend",processors:[DatadogAPIClient::V1::LogsArrayProcessor.new({type:DatadogAPIClient::V1::LogsArrayProcessorType::ARRAY_PROCESSOR,is_enabled:true,name:"append_ip_to_array",operation:DatadogAPIClient::V1::LogsArrayProcessorOperationAppend.new({type:DatadogAPIClient::V1::LogsArrayProcessorOperationAppendType::APPEND,source:"network.client.ip",target:"sourceIps",}),}),],tags:[],})papi_instance.create_logs_pipeline(body)
# Create a pipeline with Array Processor Append Operation with preserve_source false returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newbody=DatadogAPIClient::V1::LogsPipeline.new({filter:DatadogAPIClient::V1::LogsFilter.new({query:"source:python",}),name:"testPipelineArrayAppendNoPreserve",processors:[DatadogAPIClient::V1::LogsArrayProcessor.new({type:DatadogAPIClient::V1::LogsArrayProcessorType::ARRAY_PROCESSOR,is_enabled:true,name:"append_ip_and_remove_source",operation:DatadogAPIClient::V1::LogsArrayProcessorOperationAppend.new({type:DatadogAPIClient::V1::LogsArrayProcessorOperationAppendType::APPEND,source:"network.client.ip",target:"sourceIps",preserve_source:false,}),}),],tags:[],})papi_instance.create_logs_pipeline(body)
# Create a pipeline with Array Processor Append Operation with preserve_source true returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newbody=DatadogAPIClient::V1::LogsPipeline.new({filter:DatadogAPIClient::V1::LogsFilter.new({query:"source:python",}),name:"testPipelineArrayAppendPreserve",processors:[DatadogAPIClient::V1::LogsArrayProcessor.new({type:DatadogAPIClient::V1::LogsArrayProcessorType::ARRAY_PROCESSOR,is_enabled:true,name:"append_ip_and_keep_source",operation:DatadogAPIClient::V1::LogsArrayProcessorOperationAppend.new({type:DatadogAPIClient::V1::LogsArrayProcessorOperationAppendType::APPEND,source:"network.client.ip",target:"sourceIps",preserve_source:true,}),}),],tags:[],})papi_instance.create_logs_pipeline(body)
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Create a pipeline with Array Processor Append Operation returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiCreateLogsPipelineRequest={body:{filter:{query:"source:python",},name:"testPipelineArrayAppend",processors:[{type:"array-processor",isEnabled: true,name:"append_ip_to_array",operation:{type:"append",source:"network.client.ip",target:"sourceIps",},},],tags:[],},};apiInstance.createLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
/**
* Create a pipeline with Array Processor Append Operation with preserve_source false returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiCreateLogsPipelineRequest={body:{filter:{query:"source:python",},name:"testPipelineArrayAppendNoPreserve",processors:[{type:"array-processor",isEnabled: true,name:"append_ip_and_remove_source",operation:{type:"append",source:"network.client.ip",target:"sourceIps",preserveSource: false,},},],tags:[],},};apiInstance.createLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
/**
* Create a pipeline with Array Processor Append Operation with preserve_source true returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiCreateLogsPipelineRequest={body:{filter:{query:"source:python",},name:"testPipelineArrayAppendPreserve",processors:[{type:"array-processor",isEnabled: true,name:"append_ip_and_keep_source",operation:{type:"append",source:"network.client.ip",target:"sourceIps",preserveSource: true,},},],tags:[],},};apiInstance.createLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Récupérez un pipeline spécifique de votre organisation. Cet endpoint ne prend aucun argument JSON.
This endpoint requires the logs_read_config permission.
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
Use the span remapper processor to define a log attribute as its associated span ID.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources
[string]
Array of source attributes.
default: dd.span_id
type [required]
enum
Type of logs span remapper.
Allowed enum values: span-id-remapper
default: span-id-remapper
Option 18
object
A processor for extracting, aggregating, or transforming values from JSON arrays within your logs.
Supported operations are:
Select value from matching element
Compute array length
Append a value to an array
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
operation [required]
<oneOf>
Configuration of the array processor operation to perform.
Option 1
object
Operation that appends a value to a target array attribute.
preserve_source
boolean
Remove or preserve the remapped source element.
default: true
source [required]
string
Attribute path containing the value to append.
target [required]
string
Attribute path of the array to append to.
type [required]
enum
Operation type.
Allowed enum values: append
Option 2
object
Operation that computes the length of a source array and stores the result in the target attribute.
source [required]
string
Attribute path of the array to measure.
target [required]
string
Attribute that receives the computed length.
type [required]
enum
Operation type.
Allowed enum values: length
Option 3
object
Operation that finds an object in a source array using a filter, and then extracts a specific value into the target attribute.
filter [required]
string
Filter condition expressed as key:value used to find the matching element.
source [required]
string
Attribute path of the array to search into.
target [required]
string
Attribute that receives the extracted value.
type [required]
enum
Operation type.
Allowed enum values: select
value_to_extract [required]
string
Key of the value to extract from the matching element.
type [required]
enum
Type of logs array processor.
Allowed enum values: array-processor
default: array-processor
Option 19
object
The decoder processor decodes any source attribute containing a
base64/base16-encoded UTF-8/ASCII string back to its original value, storing the
result in a target attribute.
binary_to_text_encoding [required]
enum
The encoding used to represent the binary data.
Allowed enum values: base64,base16
input_representation [required]
enum
The original representation of input string.
Allowed enum values: utf_8,integer
is_enabled
boolean
Whether the processor is enabled.
name
string
Name of the processor.
source [required]
string
Name of the log attribute with the encoded data.
target [required]
string
Name of the log attribute that contains the decoded data.
type [required]
enum
Type of logs decoder processor.
Allowed enum values: decoder-processor
default: decoder-processor
Option 20
object
A processor that has additional validations and checks for a given schema. Currently supported schema types include OCSF.
is_enabled
boolean
Whether or not the processor is enabled.
mappers [required]
[ <oneOf>]
The LogsSchemaProcessormappers.
Option 1
object
The schema remapper maps source log fields to their correct fields.
name [required]
string
Name of the logs schema remapper.
override_on_conflict
boolean
Override or not the target element if already set.
preserve_source
boolean
Remove or preserve the remapped source element.
sources [required]
[string]
Array of source attributes.
target [required]
string
Target field to map log source field to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
type [required]
enum
Type of logs schema remapper.
Allowed enum values: schema-remapper
Option 2
object
Use the Schema Category Mapper to categorize log event into enum fields.
In the case of OCSF, they can be used to map sibling fields which are composed of an ID and a name.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Categories are executed in order and processing stops at the first match.
Make sure categories are properly ordered in case a log could match multiple queries.
Sibling fields always have a numerical ID field and a human-readable string name.
A fallback section handles cases where the name or ID value matches a specific value.
If the name matches "Other" or the ID matches 99, the value of the sibling name field will be pulled from a source field from the original log.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter [required]
object
Filter for logs.
query
string
The filter query.
id [required]
int64
ID to inject into the category.
name [required]
string
Value to assign to target schema field.
fallback
object
Used to override hardcoded category values with a value pulled from a source attribute on the log.
sources
object
Fallback sources used to populate value of field.
<any-key>
[string]
values
object
Values that define when the fallback is used.
<any-key>
string
name [required]
string
Name of the logs schema category mapper.
targets [required]
object
Name of the target attributes which value is defined by the matching category.
id
string
ID of the field to map log attributes to.
name
string
Name of the field to map log attributes to.
type [required]
enum
Type of logs schema category mapper.
Allowed enum values: schema-category-mapper
name [required]
string
Name of the processor.
schema [required]
object
Configuration of the schema data to use.
class_name [required]
string
Class name of the schema to use.
class_uid [required]
int64
Class UID of the schema to use.
profiles
[string]
Optional list of profiles to modify the schema.
schema_type [required]
string
Type of schema to use.
version [required]
string
Version of the schema to use.
type [required]
enum
Type of logs schema processor.
Allowed enum values: schema-processor
"""
Get a pipeline returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.logs_pipelines_apiimportLogsPipelinesApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=LogsPipelinesApi(api_client)response=api_instance.get_logs_pipeline(pipeline_id="pipeline_id",)print(response)
# Get a pipeline returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newpapi_instance.get_logs_pipeline("pipeline_id")
// Get a pipeline returns "OK" responsepackagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.GetLogsPipeline(ctx,"pipeline_id")iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.GetLogsPipeline`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.GetLogsPipeline`:\n%s\n",responseContent)}
// Get a pipeline returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.LogsPipelinesApi;importcom.datadog.api.client.v1.model.LogsPipeline;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();LogsPipelinesApiapiInstance=newLogsPipelinesApi(defaultClient);try{LogsPipelineresult=apiInstance.getLogsPipeline("pipeline_id");System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling LogsPipelinesApi#getLogsPipeline");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get a pipeline returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_logs_pipelines::LogsPipelinesAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=LogsPipelinesAPI::with_config(configuration);letresp=api.get_logs_pipeline("pipeline_id".to_string()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Get a pipeline returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiGetLogsPipelineRequest={pipelineId:"pipeline_id",};apiInstance.getLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Supprimez un pipeline donné de votre organisation. Cet endpoint ne prend aucun argument JSON.
This endpoint requires the logs_write_pipelines permission.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Delete a pipeline returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiDeleteLogsPipelineRequest={pipelineId:"pipeline_id",};apiInstance.deleteLogsPipeline(params).then((data: any)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Mettez à jour une configuration de pipeline donnée pour modifier ses processeurs ou sa séquence.
Remarque : cette méthode permet de mettre à jour la configuration de votre pipeline en remplaçant votre configuration actuelle par la nouvelle, envoyée à votre organisation Datadog.
This endpoint requires the logs_write_pipelines permission.
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
Use the span remapper processor to define a log attribute as its associated span ID.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources
[string]
Array of source attributes.
default: dd.span_id
type [required]
enum
Type of logs span remapper.
Allowed enum values: span-id-remapper
default: span-id-remapper
Option 18
object
A processor for extracting, aggregating, or transforming values from JSON arrays within your logs.
Supported operations are:
Select value from matching element
Compute array length
Append a value to an array
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
operation [required]
<oneOf>
Configuration of the array processor operation to perform.
Option 1
object
Operation that appends a value to a target array attribute.
preserve_source
boolean
Remove or preserve the remapped source element.
default: true
source [required]
string
Attribute path containing the value to append.
target [required]
string
Attribute path of the array to append to.
type [required]
enum
Operation type.
Allowed enum values: append
Option 2
object
Operation that computes the length of a source array and stores the result in the target attribute.
source [required]
string
Attribute path of the array to measure.
target [required]
string
Attribute that receives the computed length.
type [required]
enum
Operation type.
Allowed enum values: length
Option 3
object
Operation that finds an object in a source array using a filter, and then extracts a specific value into the target attribute.
filter [required]
string
Filter condition expressed as key:value used to find the matching element.
source [required]
string
Attribute path of the array to search into.
target [required]
string
Attribute that receives the extracted value.
type [required]
enum
Operation type.
Allowed enum values: select
value_to_extract [required]
string
Key of the value to extract from the matching element.
type [required]
enum
Type of logs array processor.
Allowed enum values: array-processor
default: array-processor
Option 19
object
The decoder processor decodes any source attribute containing a
base64/base16-encoded UTF-8/ASCII string back to its original value, storing the
result in a target attribute.
binary_to_text_encoding [required]
enum
The encoding used to represent the binary data.
Allowed enum values: base64,base16
input_representation [required]
enum
The original representation of input string.
Allowed enum values: utf_8,integer
is_enabled
boolean
Whether the processor is enabled.
name
string
Name of the processor.
source [required]
string
Name of the log attribute with the encoded data.
target [required]
string
Name of the log attribute that contains the decoded data.
type [required]
enum
Type of logs decoder processor.
Allowed enum values: decoder-processor
default: decoder-processor
Option 20
object
A processor that has additional validations and checks for a given schema. Currently supported schema types include OCSF.
is_enabled
boolean
Whether or not the processor is enabled.
mappers [required]
[ <oneOf>]
The LogsSchemaProcessormappers.
Option 1
object
The schema remapper maps source log fields to their correct fields.
name [required]
string
Name of the logs schema remapper.
override_on_conflict
boolean
Override or not the target element if already set.
preserve_source
boolean
Remove or preserve the remapped source element.
sources [required]
[string]
Array of source attributes.
target [required]
string
Target field to map log source field to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
type [required]
enum
Type of logs schema remapper.
Allowed enum values: schema-remapper
Option 2
object
Use the Schema Category Mapper to categorize log event into enum fields.
In the case of OCSF, they can be used to map sibling fields which are composed of an ID and a name.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Categories are executed in order and processing stops at the first match.
Make sure categories are properly ordered in case a log could match multiple queries.
Sibling fields always have a numerical ID field and a human-readable string name.
A fallback section handles cases where the name or ID value matches a specific value.
If the name matches "Other" or the ID matches 99, the value of the sibling name field will be pulled from a source field from the original log.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter [required]
object
Filter for logs.
query
string
The filter query.
id [required]
int64
ID to inject into the category.
name [required]
string
Value to assign to target schema field.
fallback
object
Used to override hardcoded category values with a value pulled from a source attribute on the log.
sources
object
Fallback sources used to populate value of field.
<any-key>
[string]
values
object
Values that define when the fallback is used.
<any-key>
string
name [required]
string
Name of the logs schema category mapper.
targets [required]
object
Name of the target attributes which value is defined by the matching category.
id
string
ID of the field to map log attributes to.
name
string
Name of the field to map log attributes to.
type [required]
enum
Type of logs schema category mapper.
Allowed enum values: schema-category-mapper
name [required]
string
Name of the processor.
schema [required]
object
Configuration of the schema data to use.
class_name [required]
string
Class name of the schema to use.
class_uid [required]
int64
Class UID of the schema to use.
profiles
[string]
Optional list of profiles to modify the schema.
schema_type [required]
string
Type of schema to use.
version [required]
string
Version of the schema to use.
type [required]
enum
Type of logs schema processor.
Allowed enum values: schema-processor
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
Use the span remapper processor to define a log attribute as its associated span ID.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources
[string]
Array of source attributes.
default: dd.span_id
type [required]
enum
Type of logs span remapper.
Allowed enum values: span-id-remapper
default: span-id-remapper
Option 18
object
A processor for extracting, aggregating, or transforming values from JSON arrays within your logs.
Supported operations are:
Select value from matching element
Compute array length
Append a value to an array
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
operation [required]
<oneOf>
Configuration of the array processor operation to perform.
Option 1
object
Operation that appends a value to a target array attribute.
preserve_source
boolean
Remove or preserve the remapped source element.
default: true
source [required]
string
Attribute path containing the value to append.
target [required]
string
Attribute path of the array to append to.
type [required]
enum
Operation type.
Allowed enum values: append
Option 2
object
Operation that computes the length of a source array and stores the result in the target attribute.
source [required]
string
Attribute path of the array to measure.
target [required]
string
Attribute that receives the computed length.
type [required]
enum
Operation type.
Allowed enum values: length
Option 3
object
Operation that finds an object in a source array using a filter, and then extracts a specific value into the target attribute.
filter [required]
string
Filter condition expressed as key:value used to find the matching element.
source [required]
string
Attribute path of the array to search into.
target [required]
string
Attribute that receives the extracted value.
type [required]
enum
Operation type.
Allowed enum values: select
value_to_extract [required]
string
Key of the value to extract from the matching element.
type [required]
enum
Type of logs array processor.
Allowed enum values: array-processor
default: array-processor
Option 19
object
The decoder processor decodes any source attribute containing a
base64/base16-encoded UTF-8/ASCII string back to its original value, storing the
result in a target attribute.
binary_to_text_encoding [required]
enum
The encoding used to represent the binary data.
Allowed enum values: base64,base16
input_representation [required]
enum
The original representation of input string.
Allowed enum values: utf_8,integer
is_enabled
boolean
Whether the processor is enabled.
name
string
Name of the processor.
source [required]
string
Name of the log attribute with the encoded data.
target [required]
string
Name of the log attribute that contains the decoded data.
type [required]
enum
Type of logs decoder processor.
Allowed enum values: decoder-processor
default: decoder-processor
Option 20
object
A processor that has additional validations and checks for a given schema. Currently supported schema types include OCSF.
is_enabled
boolean
Whether or not the processor is enabled.
mappers [required]
[ <oneOf>]
The LogsSchemaProcessormappers.
Option 1
object
The schema remapper maps source log fields to their correct fields.
name [required]
string
Name of the logs schema remapper.
override_on_conflict
boolean
Override or not the target element if already set.
preserve_source
boolean
Remove or preserve the remapped source element.
sources [required]
[string]
Array of source attributes.
target [required]
string
Target field to map log source field to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
type [required]
enum
Type of logs schema remapper.
Allowed enum values: schema-remapper
Option 2
object
Use the Schema Category Mapper to categorize log event into enum fields.
In the case of OCSF, they can be used to map sibling fields which are composed of an ID and a name.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Categories are executed in order and processing stops at the first match.
Make sure categories are properly ordered in case a log could match multiple queries.
Sibling fields always have a numerical ID field and a human-readable string name.
A fallback section handles cases where the name or ID value matches a specific value.
If the name matches "Other" or the ID matches 99, the value of the sibling name field will be pulled from a source field from the original log.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter [required]
object
Filter for logs.
query
string
The filter query.
id [required]
int64
ID to inject into the category.
name [required]
string
Value to assign to target schema field.
fallback
object
Used to override hardcoded category values with a value pulled from a source attribute on the log.
sources
object
Fallback sources used to populate value of field.
<any-key>
[string]
values
object
Values that define when the fallback is used.
<any-key>
string
name [required]
string
Name of the logs schema category mapper.
targets [required]
object
Name of the target attributes which value is defined by the matching category.
id
string
ID of the field to map log attributes to.
name
string
Name of the field to map log attributes to.
type [required]
enum
Type of logs schema category mapper.
Allowed enum values: schema-category-mapper
name [required]
string
Name of the processor.
schema [required]
object
Configuration of the schema data to use.
class_name [required]
string
Class name of the schema to use.
class_uid [required]
int64
Class UID of the schema to use.
profiles
[string]
Optional list of profiles to modify the schema.
schema_type [required]
string
Type of schema to use.
version [required]
string
Version of the schema to use.
type [required]
enum
Type of logs schema processor.
Allowed enum values: schema-processor
// Update a pipeline returns "OK" responsepackagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){body:=datadogV1.LogsPipeline{Filter:&datadogV1.LogsFilter{Query:datadog.PtrString("source:python"),},Name:"",Processors:[]datadogV1.LogsProcessor{datadogV1.LogsProcessor{LogsGrokParser:&datadogV1.LogsGrokParser{Grok:datadogV1.LogsGrokParserRules{MatchRules:`rule_name_1 foo
rule_name_2 bar
`,SupportRules:datadog.PtrString(`rule_name_1 foo
rule_name_2 bar
`),},IsEnabled:datadog.PtrBool(false),Samples:[]string{},Source:"message",Type:datadogV1.LOGSGROKPARSERTYPE_GROK_PARSER,}},},Tags:[]string{},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.UpdateLogsPipeline(ctx,"pipeline_id",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.UpdateLogsPipeline`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.UpdateLogsPipeline`:\n%s\n",responseContent)}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Update a pipeline returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiUpdateLogsPipelineRequest={body:{filter:{query:"source:python",},name:"",processors:[{grok:{matchRules:"rule_name_1 foo\nrule_name_2 bar\n",supportRules:"rule_name_1 foo\nrule_name_2 bar\n",},isEnabled: false,samples:[],source:"message",type:"grok-parser",},],tags:[],},pipelineId:"pipeline_id",};apiInstance.updateLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));