Field Parser
Extracts JSON objects and KV structures from TenXTemplates as named fields.
This process enables TenXObjects to access nested JSON/KV values at runtime as named members.
For an hybrid JSON/plain event whose text value is:
17/06/24 17:38:00 INFO ExecutorRunnable: Prepared Local resources Map(__spark__.jar -> resource
{ scheme: "hdfs" host: "10.10.34.11" port: 9000
file: "/user/curi/.sparkStaging/application_1485248649253_0144/spark-assembly-1.6.0-hadoop2.2.0.jar" }
size: 109525492 timestamp: 1497001131801 type: FILE visibility: PRIVATE)
To increase a counter identified by a JSON field (scheme) value with that of a KV entry (size):
To drop the instance if either a KV entry (e.g., visibility) or JSON field (e.g., port) match a specified value:
Arrays
If a JSON/KV field appears more than once within an TenXObject's text, it can be accessed as an array field to access individual entries (e.g., this.myField[i]).
Config Files
To configure the Field parser unit, Edit these files.
Below is the default configuration from: fields/config.yaml.
ewogICJ0eXBlIiA6ICJvYmplY3QiLAogICJwcm9wZXJ0aWVzIiA6IHsKICAgICJ0ZW54IiA6IHsKICAgICAgInR5cGUiIDogInN0cmluZyIKICAgIH0sCiAgICAiZmllbGQiIDogewogICAgICAidHlwZSIgOiAib2JqZWN0IiwKICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIiA6IGZhbHNlLAogICAgICAicHJvcGVydGllcyIgOiB7CiAgICAgICAgImV4dHJhY3QiIDogewogICAgICAgICAgInR5cGUiIDogWwogICAgICAgICAgICAiYm9vbGVhbiIsCiAgICAgICAgICAgICJzdHJpbmciLAogICAgICAgICAgICAibnVsbCIKICAgICAgICAgIF0sCiAgICAgICAgICAibWFya2Rvd25EZXNjcmlwdGlvbiIgOiAiU2NhbiBUZW5YVGVtcGxhdGUgZm9yIG5lc3RlZCBKU09OIG9iamVjdHMgb3Iga2V5LXZhbHVlIGxpc3RzXG5cbkNvbnRyb2xzIHdoZXRoZXIgdG8gc2NhbiBUZW5YVGVtcGxhdGVzIGZvciBKU09OIG9iamVjdHMgb3Iga2V5LXZhbHVlIGxpc3RzIChlLmcuLCBge1wicHJpY2VcIjogMTB9YCBvciBgcHJpY2U9MTBgKS4gVGVuWE9iamVjdHMgaW5zdGFuY2VzIG9mIHRoaXMgdGVtcGxhdGUgd2lsbCBwcm92aWRlIGFjY2VzcyB0byB0aGVzZSBmaWVsZHMgYXMgbmFtZWQgbWVtYmVycyAoZS5nLiwgYHRoaXMucHJpY2VgKS4gSWYgYSBmaWVsZCBhcHBlYXJzIG1vcmUgdGhhbiBvbmNlIGluIFt0ZXh0XShodHRwczovL2RvYy5sb2cxMHguY29tL2FwaS9qcy8jVGVuWEJhc2VPYmplY3QrdGV4dCkgaXQgaXMgYWNjZXNzaWJsZSBhcyBhbiBhcnJheSAoZS5nLiwgYHRoaXMucHJpY2VbMV1gKS4gKEFjY2VwdHMgYm9vbGVhbiBvciBzdHJpbmcgd2l0aCAkPSBwcmVmaXggZm9yIHJ1bnRpbWUgZXZhbHVhdGlvbikgKERlZmF1bHQ6IHRydWUpIiwKICAgICAgICAgICJkZWZhdWx0IiA6IHRydWUKICAgICAgICB9LAogICAgICAgICJuYW1lQnJlYWtzIiA6IHsKICAgICAgICAgICJ0eXBlIiA6IFsKICAgICAgICAgICAgInN0cmluZyIsCiAgICAgICAgICAgICJudWxsIgogICAgICAgICAgXSwKICAgICAgICAgICJtYXJrZG93bkRlc2NyaXB0aW9uIiA6ICJLViBmaWVsZCBuYW1lIHRlcm1pbmF0b3IgY2hhcnNcblxuQ29udHJvbHMgd2hpY2ggJ3RleHQnIGNoYXJhY3RlcnMgbGVmdCBvZiBhIGNhbmRpZGF0ZSB0b2tlbiBmb3IgYmVpbmcgYSAna2V5JyBpbiBhIEtWIGZpZWxkIGZvcm1hdGlvbiBzaG91bGQgc2VydmUgYXMgYSB0ZXJtaW5hdG9yIGZvciB0aGUgc2VhcmNoLiAgIEZvciBleGFtcGxlLCBmb3IgYW4gVGVuWE9iamVjdCB3aG9zZSBbdGV4dF0oaHR0cHM6Ly9kb2MubG9nMTB4LmNvbS9hcGkvanMvI1RlblhCYXNlT2JqZWN0K3RleHQpIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgZW50cnkgJyx0eF9yZXN1bHQ9T0snLCB0aGUgZGVzaXJlZCBrZXkgc2hvdWxkIGJlICd0eF9yZXN1bHQnLCBhbmQgc28gdGhlIG5hbWUgdGVybWluYXRvciBjaGFyYWN0ZXIgc2hvdWxkIGJlICcsJyB2cy4gJ18nIChpbiB3aGljaCBjYXNlIHRoZSBrZXkgd291bGQgaGF2ZSBiZWVuIG5hbWVkICdyZXN1bHQnKS4gKERlZmF1bHQ6ICwgL1xce30uKClbXSkiLAogICAgICAgICAgImRlZmF1bHQiIDogIiwgL1xce30uKClbXSIKICAgICAgICB9LAogICAgICAgICJ2YWx1ZUJyZWFrcyIgOiB7CiAgICAgICAgICAidHlwZSIgOiBbCiAgICAgICAgICAgICJzdHJpbmciLAogICAgICAgICAgICAibnVsbCIKICAgICAgICAgIF0sCiAgICAgICAgICAibWFya2Rvd25EZXNjcmlwdGlvbiIgOiAiS1YgZmllbGQgdmFsdWUgdGVybWluYXRvciBjaGFyc1xuXG5Db250cm9scyB3aGljaCBjaGFyYWN0ZXJzIGZvdW5kIHRvIHRoZSByaWdodCBvZiBhIHRva2VuIHdob3NlIGlzIGEgY2FuZGlkYXRlIGZvciBiZWluZyBhICd2YWx1ZScgaW4gYSBLViBmaWVsZCBmb3JtYXRpb24gc2hvdWxkIHNlcnZlICBhcyBhIHRlcm1pbmF0b3IgZm9yIHRoZSBzZWFyY2guICAgRm9yIGV4YW1wbGUsIGZvciBhbiBvYmplY3Qgd2hvc2UgW3RleHRdKGh0dHBzOi8vZG9jLmxvZzEweC5jb20vYXBpL2pzLyNUZW5YQmFzZU9iamVjdCt0ZXh0KSBmaWVsZCBjb250YWlucyB0aGUgZm9sbG93aW5nIGVudHJ5OiAnc3RhdHVzPVJFU1VMVF9TVUNDRVNTJyB0aGUgZGVzaXJlZCBLViB2YWx1ZSAgc2hvdWxkIGJlICdSRVNVTFRfU1VDQ0VTUycsIGFuZCBhcyBzdWNoIHRoZSB2YWx1ZSB0ZXJtaW5hdG9yIGNoYXJhY3RlciAgc2hvdWxkIGJlICcsJyB2cy4gJ18nIChpbiB3aGljaCBjYXNlIHRoZSB2YWx1ZSB3b3VsZCBiZSAnUkVTVUxUJykuIChEZWZhdWx0OiAvXFx7fSgpW10pIiwKICAgICAgICAgICJkZWZhdWx0IiA6ICIvXFx7fSgpW10iCiAgICAgICAgfQogICAgICB9CiAgICB9CiAgfSwKICAiYWRkaXRpb25hbFByb3BlcnRpZXMiIDogZmFsc2UKfQ==
# 🔟❎ 'run' TenXTemplate field extract configuration
# Configure how to extract JSON objects and KV structures from TenXTemplates.
# To learn more see https://doc.log10x.com/run/transform/fields/
# Set the 10x pipeline to 'run'
tenx: run
# =============================== Extract Options =============================
field:
# 'extract' controls whether to scan TenXTemplate for JSON
# objects or key-value lists (e.g., 'X=Y').
extract: true
# 'nameBreaks' controls which characters found to the left of a token
# whose is a candidate for being a 'key' in a KV field formation should serve
# as a terminator for the search. For example, for an object whose 'text' field
# contains the following entry ',tx_result=OK' the desired key name should be 'tx_result'
# and as such, the name terminator character should be ',' vs. '_' (in which case
# the key would have been named 'result').
nameBreaks: ', /\{}.()[]'
# 'valueBreaks' controls which characters found to the right of a token
# whose is a candidate for being a 'value' in a KV field formation should serve
# as a terminator for the search. For example, for an object whose 'text' field
# contains the following entry: 'status=RESULT_SUCCESS' the desired KV value
# should be 'RESULT_SUCCESS', and as such, the value terminator character
# should be ',' vs. '_' (in which case the value would be 'RESULT').
valueBreaks: ', /\{}()[]'
Options
Specify the options below to configure the Field parser:
| Name | Description |
|---|---|
| fieldExtract | Scan TenXTemplate for nested JSON objects or key-value lists |
| fieldNameBreaks | KV field name terminator chars |
| fieldValueBreaks | KV field value terminator chars |
fieldExtract
Scan TenXTemplate for nested JSON objects or key-value lists.
| Type | Default |
|---|---|
| Boolean | true |
Controls whether to scan TenXTemplates for JSON objects or key-value lists (e.g., {"price": 10} or price=10).
TenXObjects instances of this template will provide access to these fields as named members (e.g., this.price).
If a field appears more than once in text it is accessible as an array (e.g., this.price[1]).
fieldNameBreaks
KV field name terminator chars.
| Type | Default |
|---|---|
| String | , /\{}.()[] |
Controls which 'text' characters left of a candidate token for being a 'key' in a KV field formation should serve as a terminator for the search.
For example, for an TenXObject whose text contains the following entry ',tx_result=OK', the desired key should be 'tx_result', and so the name terminator character should be ',' vs. '_' (in which case the key would have been named 'result').
fieldValueBreaks
KV field value terminator chars.
| Type | Default |
|---|---|
| String | /\{}()[] |
Controls which characters found to the right of a token whose is a candidate for being a 'value' in a KV field formation should serve as a terminator for the search.
For example, for an object whose text field contains the following entry: 'status=RESULT_SUCCESS' the desired KV value should be 'RESULT_SUCCESS', and as such the value terminator character should be ',' vs. '_' (in which case the value would be 'RESULT').
This unit is defined in fields/unit.yaml.