Les pipelines et les processeurs fonctionnent sur les logs entrants : ils effectuent le parsing de ces logs et les transforment en attributs structurés pour faciliter les requêtes.
Consultez la [page de configuration des pipelines] (https://app.datadoghq.com/logs/pipelines) pour obtenir une liste des pipelines et des processeurs actuellement configurés dans l’interface utilisateur Web.
Remarque : ces endpoints sont uniquement disponibles pour les utilisateurs admin. Veillez à utiliser une clé d’application créée par un admin.
Les règles de parsing Grok peuvent affecter la sortie JSON et nécessitent de configurer les données renvoyées avant leur utilisation dans une requête.
Par exemple, si vous utilisez les données renvoyées par une requête dans un autre corps de requête, et que vous avez une règle de parsing qui utilise une expression regex comme \s pour les espaces, vous devrez configurer tous les espaces échappés en tant que %{space} pour utiliser les données.
"""
Get pipeline order returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.logs_pipelines_apiimportLogsPipelinesApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=LogsPipelinesApi(api_client)response=api_instance.get_logs_pipeline_order()print(response)
# Get pipeline order returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newpapi_instance.get_logs_pipeline_order()
// Get pipeline order returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.GetLogsPipelineOrder(ctx)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.GetLogsPipelineOrder`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.GetLogsPipelineOrder`:\n%s\n",responseContent)}
// Get pipeline order returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.LogsPipelinesApi;importcom.datadog.api.client.v1.model.LogsPipelinesOrder;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();LogsPipelinesApiapiInstance=newLogsPipelinesApi(defaultClient);try{LogsPipelinesOrderresult=apiInstance.getLogsPipelineOrder();System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling LogsPipelinesApi#getLogsPipelineOrder");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get pipeline order returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_logs_pipelines::LogsPipelinesAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=LogsPipelinesAPI::with_config(configuration);letresp=api.get_logs_pipeline_order().await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Get pipeline order returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);apiInstance.getLogsPipelineOrder().then((data: v1.LogsPipelinesOrder)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Mettez à jour la séquence de vos pipelines. Les logs étant traités de manière séquentielle, la réorganisation d’un pipeline peut changer la structure et le contenu des données traitées par les autres pipelines et leurs processeurs.
Remarque : la méthode PUT permet de mettre à jour la séquence des pipelines en remplaçant votre séquence actuelle par la nouvelle, envoyée à votre organisation Datadog.
Requête
Body Data (required)
Objet contenant la nouvelle liste triée des ID de pipeline.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Update pipeline order returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiUpdateLogsPipelineOrderRequest={body:{pipelineIds:["tags","org_ids","products"],},};apiInstance.updateLogsPipelineOrder(params).then((data: v1.LogsPipelinesOrder)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
"""
Get all pipelines returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.logs_pipelines_apiimportLogsPipelinesApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=LogsPipelinesApi(api_client)response=api_instance.list_logs_pipelines()print(response)
# Get all pipelines returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newpapi_instance.list_logs_pipelines()
// Get all pipelines returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.ListLogsPipelines(ctx)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.ListLogsPipelines`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.ListLogsPipelines`:\n%s\n",responseContent)}
// Get all pipelines returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.LogsPipelinesApi;importcom.datadog.api.client.v1.model.LogsPipeline;importjava.util.List;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();LogsPipelinesApiapiInstance=newLogsPipelinesApi(defaultClient);try{List<LogsPipeline>result=apiInstance.listLogsPipelines();System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling LogsPipelinesApi#listLogsPipelines");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get all pipelines returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_logs_pipelines::LogsPipelinesAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=LogsPipelinesAPI::with_config(configuration);letresp=api.list_logs_pipelines().await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Get all pipelines returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);apiInstance.listLogsPipelines().then((data: v1.LogsPipeline[])=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Create a pipeline returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiCreateLogsPipelineRequest={body:{filter:{query:"source:python",},name:"",processors:[{grok:{matchRules:`rule_name_1 foo
rule_name_2 bar
`,supportRules:`rule_name_1 foo
rule_name_2 bar
`,},isEnabled: false,samples:[],source:"message",type:"grok-parser",},],},};apiInstance.createLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
"""
Get a pipeline returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.logs_pipelines_apiimportLogsPipelinesApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=LogsPipelinesApi(api_client)response=api_instance.get_logs_pipeline(pipeline_id="pipeline_id",)print(response)
# Get a pipeline returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::LogsPipelinesAPI.newpapi_instance.get_logs_pipeline("pipeline_id")
// Get a pipeline returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewLogsPipelinesApi(apiClient)resp,r,err:=api.GetLogsPipeline(ctx,"pipeline_id")iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `LogsPipelinesApi.GetLogsPipeline`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `LogsPipelinesApi.GetLogsPipeline`:\n%s\n",responseContent)}
// Get a pipeline returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.LogsPipelinesApi;importcom.datadog.api.client.v1.model.LogsPipeline;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();LogsPipelinesApiapiInstance=newLogsPipelinesApi(defaultClient);try{LogsPipelineresult=apiInstance.getLogsPipeline("pipeline_id");System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling LogsPipelinesApi#getLogsPipeline");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get a pipeline returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_logs_pipelines::LogsPipelinesAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=LogsPipelinesAPI::with_config(configuration);letresp=api.get_logs_pipeline("pipeline_id".to_string()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Get a pipeline returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiGetLogsPipelineRequest={pipelineId:"pipeline_id",};apiInstance.getLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Delete a pipeline returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiDeleteLogsPipelineRequest={pipelineId:"pipeline_id",};apiInstance.deleteLogsPipeline(params).then((data: any)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Mettez à jour une configuration de pipeline donnée pour modifier ses processeurs ou sa séquence.
Remarque : cette méthode permet de mettre à jour la configuration de votre pipeline en remplaçant votre configuration actuelle par la nouvelle, envoyée à votre organisation Datadog.
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
List of match rules for the grok parser, separated by a new line.
support_rules
string
List of support rules for the grok parser, separated by a new line.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
samples
[string]
List of sample logs to test this grok parser.
source [required]
string
Name of the log attribute to parse.
default: message
type [required]
enum
Type of logs grok parser.
Allowed enum values: grok-parser
default: grok-parser
Option 2
object
As Datadog receives logs, it timestamps them using the value(s) from any of these default attributes.
timestamp
date
_timestamp
Timestamp
eventTime
published_date
If your logs put their dates in an attribute not in this list,
use the log date Remapper Processor to define their date attribute as the official log timestamp.
The recognized date formats are ISO8601, UNIX (the milliseconds EPOCH format), and RFC3164.
Note: If your logs don’t contain any of the default attributes
and you haven’t defined your own date attribute, Datadog timestamps
the logs with the date it received them.
If multiple log date remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs date remapper.
Allowed enum values: date-remapper
default: date-remapper
Option 3
object
Use this Processor if you want to assign some attributes as the official status.
Each incoming status value is mapped as follows.
Integers from 0 to 7 map to the Syslog severity standards
Strings beginning with emerg or f (case-insensitive) map to emerg (0)
Strings beginning with a (case-insensitive) map to alert (1)
Strings beginning with c (case-insensitive) map to critical (2)
Strings beginning with err (case-insensitive) map to error (3)
Strings beginning with w (case-insensitive) map to warning (4)
Strings beginning with n (case-insensitive) map to notice (5)
Strings beginning with i (case-insensitive) map to info (6)
Strings beginning with d, trace or verbose (case-insensitive) map to debug (7)
Strings beginning with o or matching OK or Success (case-insensitive) map to OK
All others map to info (6)
Note: If multiple log status remapper processors can be applied to a given log,
only the first one (according to the pipelines order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs status remapper.
Allowed enum values: status-remapper
default: status-remapper
Option 4
object
Use this processor if you want to assign one or more attributes as the official service.
Note: If multiple service remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
type [required]
enum
Type of logs service remapper.
Allowed enum values: service-remapper
default: service-remapper
Option 5
object
The message is a key attribute in Datadog.
It is displayed in the message column of the Log Explorer and you can do full string search on it.
Use this Processor to define one or more attributes as the official log message.
Note: If multiple log message remapper processors can be applied to a given log,
only the first one (according to the pipeline order) is taken into account.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: msg
type [required]
enum
Type of logs message remapper.
Allowed enum values: message-remapper
default: message-remapper
Option 6
object
The remapper processor remaps any source attribute(s) or tag to another target attribute or tag.
Constraints on the tag/attribute name are explained in the Tag Best Practice documentation.
Some additional constraints are applied as : or , are not allowed in the target tag/attribute name.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
override_on_conflict
boolean
Override or not the target element if already set,
preserve_source
boolean
Remove or preserve the remapped source element.
source_type
string
Defines if the sources are from log attribute or tag.
default: attribute
sources [required]
[string]
Array of source attributes.
target [required]
string
Final attribute or tag name to remap the sources to.
target_format
enum
If the target_type of the remapper is attribute, try to cast the value to a new specific type.
If the cast is not possible, the original type is kept. string, integer, or double are the possible types.
If the target_type is tag, this parameter may not be specified.
Allowed enum values: auto,string,integer,double
target_type
string
Defines if the final attribute or tag name is from log attribute or tag.
default: attribute
type [required]
enum
Type of logs attribute remapper.
Allowed enum values: attribute-remapper
default: attribute-remapper
Option 7
object
This processor extracts query parameters and other important parameters from a URL.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
normalize_ending_slashes
boolean
Normalize the ending slashes or not.
sources [required]
[string]
Array of source attributes.
default: http.url
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.url_details
type [required]
enum
Type of logs URL parser.
Allowed enum values: url-parser
default: url-parser
Option 8
object
The User-Agent parser takes a User-Agent attribute and extracts the OS, browser, device, and other user data.
It recognizes major bots like the Google Bot, Yahoo Slurp, and Bing.
is_enabled
boolean
Whether or not the processor is enabled.
is_encoded
boolean
Define if the source attribute is URL encoded or not.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: http.useragent
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: http.useragent_details
type [required]
enum
Type of logs User-Agent parser.
Allowed enum values: user-agent-parser
default: user-agent-parser
Option 9
object
Use the Category Processor to add a new attribute (without spaces or special characters in the new attribute name)
to a log matching a provided search query. Use categories to create groups for an analytical view.
For example, URL groups, machine groups, environments, and response time buckets.
Notes:
The syntax of the query is the one of Logs Explorer search bar.
The query can be done on any log attribute or tag, whether it is a facet or not.
Wildcards can also be used inside your query.
Once the log has matched one of the Processor queries, it stops.
Make sure they are properly ordered in case a log could match several queries.
The names of the categories must be unique.
Once defined in the Category Processor, you can map categories to log status using the Log Status Remapper.
categories [required]
[object]
Array of filters to match or not a log and their
corresponding name to assign a custom value to the log.
filter
object
Filter for logs.
query
string
The filter query.
name
string
Value to assign to the target attribute.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
target [required]
string
Name of the target attribute which value is defined by the matching category.
type [required]
enum
Type of logs category processor.
Allowed enum values: category-processor
default: category-processor
Option 10
object
Use the Arithmetic Processor to add a new attribute (without spaces or special characters
in the new attribute name) to a log with the result of the provided formula.
This enables you to remap different time attributes with different units into a single attribute,
or to compute operations on attributes within the same log.
The formula can use parentheses and the basic arithmetic operators -, +, *, /.
By default, the calculation is skipped if an attribute is missing.
Select “Replace missing attribute by 0” to automatically populate
missing attribute values with 0 to ensure that the calculation is done.
An attribute is missing if it is not found in the log attributes,
or if it cannot be converted to a number.
Notes:
The operator - needs to be space split in the formula as it can also be contained in attribute names.
If the target attribute already exists, it is overwritten by the result of the formula.
Results are rounded up to the 9th decimal. For example, if the result of the formula is 0.1234567891,
the actual value stored for the attribute is 0.123456789.
If you need to scale a unit of measure,
see Scale Filter.
expression [required]
string
Arithmetic operation between one or more log attributes.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of expression by 0, false
skip the operation if an attribute is missing.
name
string
Name of the processor.
target [required]
string
Name of the attribute that contains the result of the arithmetic operation.
type [required]
enum
Type of logs arithmetic processor.
Allowed enum values: arithmetic-processor
default: arithmetic-processor
Option 11
object
Use the string builder processor to add a new attribute (without spaces or special characters)
to a log with the result of the provided template.
This enables aggregation of different attributes or raw strings into a single attribute.
The template is defined by both raw text and blocks with the syntax %{attribute_path}.
Notes:
The processor only accepts attributes with values or an array of values in the blocks.
If an attribute cannot be used (object or array of object),
it is replaced by an empty string or the entire operation is skipped depending on your selection.
If the target attribute already exists, it is overwritten by the result of the template.
Results of the template cannot exceed 256 characters.
is_enabled
boolean
Whether or not the processor is enabled.
is_replace_missing
boolean
If true, it replaces all missing attributes of template by an empty string.
If false (default), skips the operation for missing attributes.
name
string
Name of the processor.
target [required]
string
The name of the attribute that contains the result of the template.
template [required]
string
A formula with one or more attributes and raw text.
type [required]
enum
Type of logs string builder processor.
Allowed enum values: string-builder-processor
default: string-builder-processor
Option 12
object
Nested Pipelines are pipelines within a pipeline. Use Nested Pipelines to split the processing into two steps.
For example, first use a high-level filtering such as team and then a second level of filtering based on the
integration, service, or any other tag or attribute.
A pipeline can contain Nested Pipelines and Processors whereas a Nested Pipeline can only contain Processors.
filter
object
Filter for logs.
query
string
The filter query.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
processors
[object]
Ordered list of processors in this pipeline.
type [required]
enum
Type of logs pipeline processor.
Allowed enum values: pipeline
default: pipeline
Option 13
object
The GeoIP parser takes an IP address attribute and extracts if available
the Continent, Country, Subdivision, and City information in the target attribute path.
is_enabled
boolean
Whether or not the processor is enabled.
name
string
Name of the processor.
sources [required]
[string]
Array of source attributes.
default: network.client.ip
target [required]
string
Name of the parent attribute that contains all the extracted details from the sources.
default: network.client.geoip
type [required]
enum
Type of GeoIP parser.
Allowed enum values: geo-ip-parser
default: geo-ip-parser
Option 14
object
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in the processors mapping table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
default_lookup
string
Value to set the target attribute if the source value is not found in the list.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_table [required]
[string]
Mapping table of values for the source attribute and their associated target attribute values,
formatted as ["source_key1,target_value1", "source_key2,target_value2"]
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list
or the default_lookup if not found in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 15
object
Note: Reference Tables are in public beta.
Use the Lookup Processor to define a mapping between a log attribute
and a human readable value saved in a Reference Table.
For example, you can use the Lookup Processor to map an internal service ID
into a human readable service name. Alternatively, you could also use it to check
if the MAC address that just attempted to connect to the production
environment belongs to your list of stolen machines.
is_enabled
boolean
Whether or not the processor is enabled.
lookup_enrichment_table [required]
string
Name of the Reference Table for the source attribute and their associated target attribute values.
name
string
Name of the processor.
source [required]
string
Source attribute used to perform the lookup.
target [required]
string
Name of the attribute that contains the corresponding value in the mapping list.
type [required]
enum
Type of logs lookup processor.
Allowed enum values: lookup-processor
default: lookup-processor
Option 16
object
There are two ways to improve correlation between application traces and logs.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Update a pipeline returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.LogsPipelinesApi(configuration);constparams: v1.LogsPipelinesApiUpdateLogsPipelineRequest={body:{filter:{query:"source:python",},name:"",processors:[{grok:{matchRules:`rule_name_1 foo
rule_name_2 bar
`,supportRules:`rule_name_1 foo
rule_name_2 bar
`,},isEnabled: false,samples:[],source:"message",type:"grok-parser",},],},pipelineId:"pipeline_id",};apiInstance.updateLogsPipeline(params).then((data: v1.LogsPipeline)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));