Sets a prefix for all event fields added by the transform.
Option 1
optional
string
An optional path that deserializes an empty string to None.
refresh_interval_secs
optional
integer
The interval between querying for updated metadata, in seconds.
fields
optional
[string]
A list of metadata fields to include in each transformed event.
tags
optional
[string]
A list of instance tags to include in each transformed event.
refresh_timeout_secs
optional
integer
The timeout for querying the EC2 metadata endpoint, in seconds.
proxy
optional
object
Proxy configuration.
Configure to proxy traffic through an HTTP(S) proxy when making external requests.
Similar to common proxy configuration convention, users can set different proxies
to use based on the type of traffic being proxied, as well as set specific hosts that
should not be proxied.
enabled
optional
boolean
Enables proxying support.
default: true
http
optional
uri
Proxy endpoint to use when proxying HTTP traffic.
Must be a valid URI string.
default: null
https
optional
uri
Proxy endpoint to use when proxying HTTPS traffic.
Must be a valid URI string.
default: null
no_proxy
optional
[string]
A list of hosts to avoid proxying.
Multiple patterns are allowed:
Pattern
Example match
Domain names
example.com matches requests to example.com
Wildcard domains
.example.com matches requests to example.com and its subdomains
When no field matching configuration is specified, events are matched using the timestamp,
host, and message fields from an event. The specific field names used are those set in
the global log schema configuration.
Option 1
optional
<oneOf>
Options to control what fields to match against.
When no field matching configuration is specified, events are matched using the timestamp,
host, and message fields from an event. The specific field names used are those set in
the global log schema configuration.
MatchFields
optional
object
Matches events using only the specified fields.
match
required
[string]
IgnoreFields
optional
object
Matches events using all fields except for the ignored ones.
ignore
required
[string]
cache
optional
object
Caching configuration for deduplication.
num_events
required
integer
Number of events to cache and use for comparing incoming events to previously seen events.
Specifying this version ensures that backward compatibility is not broken.
Option 1
optional
<oneOf>
Marker type for the version one of the configuration for the lua transform.
1
optional
1
Lua transform API version 1.
This version is deprecated and will be removed in a future version.
source
required
string
The Lua program to execute for each event.
search_dirs
optional
[string]
A list of directories to search when loading a Lua file via the require function.
If not specified, the modules are looked up in the configuration directories.
Option 2
optional
Configuration for version two.
version
required
<oneOf>
Transform API version.
Specifying this version ensures that backward compatibility is not broken.
2
optional
2
Lua transform API version 2.
source
optional
string,null
The Lua program to initialize the transform with.
The program can be used to to import external dependencies, as well as define the functions
used for the various lifecycle hooks. However, it's not strictly required, as the lifecycle
hooks can be configured directly with inline Lua source for each respective hook.
search_dirs
optional
[string]
A list of directories to search when loading a Lua file via the require function.
If not specified, the modules are looked up in the configuration directories.
hooks
required
object
Lifecycle hooks.
These hooks can be set to perform additional processing during the lifecycle of the transform.
init
optional
string,null
The function called when the first event comes in, before hooks.process is called.
It can produce new events using the emit function.
This can either be inline Lua that defines a closure to use, or the name of the Lua function to call. In both
cases, the closure/function takes a single parameter, emit, which is a reference to a function for emitting events.
process
required
string
The function called for each incoming event.
It can produce new events using the emit function.
This can either be inline Lua that defines a closure to use, or the name of the Lua function to call. In both
cases, the closure/function takes two parameters. The first parameter, event, is the event being processed,
while the second parameter, emit, is a reference to a function for emitting events.
shutdown
optional
string,null
The function called when the transform is stopped.
It can produce new events using the emit function.
This can either be inline Lua that defines a closure to use, or the name of the Lua function to call. In both
cases, the closure/function takes a single parameter, emit, which is a reference to a function for emitting events.
timers
optional
[object]
A list of timers which should be configured and executed periodically.
interval_seconds
required
integer
The interval to execute the handler, in seconds.
handler
required
string
The handler function which is called when the timer ticks.
It can produce new events using the emit function.
This can either be inline Lua that defines a closure to use, or the name of the Lua function
to call. In both cases, the closure/function takes a single parameter, emit, which is a
reference to a function for emitting events.
metric_tag_values
optional
<oneOf>
When set to single, metric tag values are exposed as single strings, the
same as they were before this config option. Tags with multiple values show the last assigned value, and null values
are ignored.
When set to full, all metric tags are exposed as arrays of either string or null
values.
single
optional
single
Tag values are exposed as single strings, the same as they were before this config
option. Tags with multiple values show the last assigned value, and null values
are ignored.
full
optional
full
All tags are exposed as arrays of either string or null values.
The namespace to use for logs. This overrides the global setting.
metric_tag_values
optional
<oneOf>
Controls how metric tag values are encoded.
When set to single, only the last non-bare value of tags are displayed with the
metric. When set to full, all metric tags are exposed as separate assignments as
described by the native_json codec.
single
optional
single
Tag values are exposed as single strings, the same as they were before this config
option. Tags with multiple values show the last assigned value, and null values
are ignored.
full
optional
full
All tags are exposed as arrays of either string or null values.
The maximum period of time to wait after the last event is received, in milliseconds, before
a combined event should be considered complete.
flush_period_ms
optional
integer
The interval to check for and flush any expired events, in milliseconds.
max_events
optional
integer,null
The maximum number of events to group together.
group_by
optional
[string]
An ordered list of fields by which to group events.
Each group with matching values for the specified keys is reduced independently, allowing
you to keep independent event streams separate. When no fields are specified, all events
are combined in a single group.
For example, if group_by = ["host", "region"], then all incoming events that have the same
host and region are grouped together before being reduced.
merge_strategies
optional
object
A map of field names to custom merge strategies.
For each field specified, the given strategy is used for combining events rather than
the default behavior.
The default behavior is as follows:
The first value of a string field is kept and subsequent values are discarded.
For timestamp fields the first is kept and a new field [field-name]_end is added with
the last received timestamp value.
Numeric values are summed.
ends_when
optional
<oneOf>
A condition used to distinguish the final event of a transaction.
If this condition resolves to true for an event, the current transaction is immediately
flushed with this event.
Option 1
optional
<oneOf>
An event matching condition.
Many methods exist for matching events, such as using a VRL expression, a Datadog Search query string,
or hard-coded matchers like "must be a metric" or "fields A, B, and C must match these constraints".
As VRL is the most common way to apply conditions to events, this type provides a shortcut to define VRL expressions
directly in the configuration by passing the VRL expression as a string:
condition = '.message == "hooray"'
When other condition types are required, they can be specified with an enum-style notation:
A condition used to distinguish the first event of a transaction.
If this condition resolves to true for an event, the previous transaction is flushed
(without this event) and a new transaction is started.
Option 1
optional
<oneOf>
An event matching condition.
Many methods exist for matching events, such as using a VRL expression, a Datadog Search query string,
or hard-coded matchers like "must be a metric" or "fields A, B, and C must match these constraints".
As VRL is the most common way to apply conditions to events, this type provides a shortcut to define VRL expressions
directly in the configuration by passing the VRL expression as a string:
condition = '.message == "hooray"'
When other condition types are required, they can be specified with an enum-style notation:
If a relative path is provided, its root is the current working directory.
Required if source is missing.
Option 1
optional
string
A file path.
metric_tag_values
optional
<oneOf>
When set to single, metric tag values are exposed as single strings, the
same as they were before this config option. Tags with multiple values show the last assigned value, and null values
are ignored.
When set to full, all metric tags are exposed as arrays of either string or null
values.
single
optional
single
Tag values are exposed as single strings, the same as they were before this config
option. Tags with multiple values show the last assigned value, and null values
are ignored.
full
optional
full
All tags are exposed as arrays of either string or null values.
timezone
optional
<oneOf>
The name of the timezone to apply to timestamp conversions that do not contain an explicit
time zone.
This overrides the global timezone option. The time zone name may be
any name in the TZ database, or local to indicate system local time.
Option 1
optional
<oneOf>
Timezone reference.
This can refer to any valid timezone as defined in the TZ database, or "local" which refers to the system local timezone.
Drops any event that encounters an error during processing.
Normally, if a VRL program encounters an error when processing an event, the original,
unmodified event is sent downstream. In some cases, you may not want to send the event
any further, such as if certain transformation or enrichment is strictly required. Setting
drop_on_error to true allows you to ensure these events do not get processed any
further.
Additionally, dropped events can potentially be diverted to a specially named output for
further logging and analysis by setting reroute_dropped.
drop_on_abort
optional
boolean
Drops any event that is manually aborted during processing.
Normally, if a VRL program is manually aborted (using abort) when
processing an event, the original, unmodified event is sent downstream. In some cases,
you may not wish to send the event any further, such as if certain transformation or
enrichment is strictly required. Setting drop_on_abort to true allows you to ensure
these events do not get processed any further.
Additionally, dropped events can potentially be diverted to a specially-named output for
further logging and analysis by setting reroute_dropped.
reroute_dropped
optional
boolean
Reroutes dropped events to a named output instead of halting processing on them.
When using drop_on_error or drop_on_abort, events that are "dropped" are processed no
further. In some cases, it may be desirable to keep the events around for further analysis,
debugging, or retrying.
In these cases, reroute_dropped can be set to true which forwards the original event
to a specially-named output, dropped. The original event is annotated with additional
fields describing why the event was dropped.
A table of route identifiers to logical conditions representing the filter of the route.
Each route can then be referenced as an input by other components with the name
<transform_name>.<route_id>. If an event doesn’t match any route, it is sent to the
<transform_name>._unmatched output.
Both _unmatched, as well as _default, are reserved output names and thus cannot be used
as a route name.
The rate at which events are forwarded, expressed as 1/N.
For example, rate = 10 means 1 out of every 10 events are forwarded and the rest are
dropped.
key_field
optional
string,null
The name of the log field whose value is hashed to determine if the event should be
passed.
Consistently samples the same events. Actual rate of sampling may differ from the configured
one if values in the field are not uniformly distributed. If left unspecified, or if the
event doesn't have key_field, then events are count rated.
exclude
optional
<oneOf>
An event matching condition.
A logical condition used to exclude events from sampling.
Option 1
optional
<oneOf>
An event matching condition.
Many methods exist for matching events, such as using a VRL expression, a Datadog Search query string,
or hard-coded matchers like "must be a metric" or "fields A, B, and C must match these constraints".
As VRL is the most common way to apply conditions to events, this type provides a shortcut to define VRL expressions
directly in the configuration by passing the VRL expression as a string:
condition = '.message == "hooray"'
When other condition types are required, they can be specified with an enum-style notation:
The number of events allowed for a given bucket per configured window_secs.
Each unique key has its own threshold.
window_secs
required
number
The time window in which the configured threshold is applied, in seconds.
key_field
optional
<oneOf>
The name of the log field whose value is hashed to determine if the event should be
rate limited.
Each unique key creates a bucket of related events to be rate limited separately. If
left unspecified, or if the event doesn't have key_field, then the event is not rate
limited separately.
Option 1
optional
string
A templated field.
In many cases, components can be configured so that part of the component's functionality can be
customized on a per-event basis. For example, you have a sink that writes events to a file and you want to
specify which file an event should go to by using an event field as part of the
input to the filename used.
By using Template, users can specify either fixed strings or templated strings. Templated strings use a common syntax to
refer to fields in an event that is used as the input data when rendering the template. An example of a fixed string
is my-file.log. An example of a template string is my-file-{{key}}.log, where {{key}}
is the key's value when the template is rendered into a string.
exclude
optional
<oneOf>
An event matching condition.
A logical condition used to exclude events from sampling.
Option 1
optional
<oneOf>
An event matching condition.
Many methods exist for matching events, such as using a VRL expression, a Datadog Search query string,
or hard-coded matchers like "must be a metric" or "fields A, B, and C must match these constraints".
As VRL is the most common way to apply conditions to events, this type provides a shortcut to define VRL expressions
directly in the configuration by passing the VRL expression as a string:
condition = '.message == "hooray"'
When other condition types are required, they can be specified with an enum-style notation: