Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Parse JSON

MetricsLogsTracesBindPlane Agent
v1.36.0+

Description

The Parse JSON Processor is utilized to parse JSON strings from specified fields within log, metric, or trace data. It's particularly useful when your telemetry data contains serialized JSON strings, and you need to convert them into a structured format for easier analysis and filtering. The processor supports specifying the source field and the target field for the parsed JSON data, offering flexibility in handling diverse data structures.

Use

When dealing with telemetry data that includes JSON strings embedded within logs, metrics, or traces, the Parse JSON Processor becomes instrumental. For instance, logs from certain applications or systems might contain JSON strings representing specific attributes or metadata. By utilizing the Parse JSON Processor, these JSON strings can be parsed and converted into structured data, enhancing readability and facilitating more complex queries and analyses.

Configuration

FieldDescription
Telemetry TypesThe types of telemetry to apply the processor to.
ConditionThe condition to apply the JSON parsing. It supports OTTL expressions for logs, metrics, and traces. This field determines which telemetry data entries are processed based on their content and attributes.
Source Field TypeDetermines the type of source field for logs, metrics, or traces. This can be Resource, Attribute, Body, or Custom for logs and Resource, Attribute, or Custom for metrics and traces. It defines where the processor should look to find the JSON string to parse.
Source FieldSpecifies the exact field where the JSON string is located, based on the selected Source Field Type. For instance, if the Source Field Type is Attribute, this field should specify the particular attribute containing the JSON string.
Target Field TypeLike the Source Field Type, this field determines the type of target field for logs, metrics, or traces where the parsed JSON data will be stored. The options are similar, allowing users to store the parsed data as a resource, attribute, body, or in a custom field.
Target FieldSpecifies the exact field where the parsed JSON data will be stored, based on the selected Target Field Type. This allows users to organize and structure the parsed data in a manner that facilitates easy querying and analysis.

Example Configurations

Parse JSON from Logs

In this example, we are looking to parse JSON strings from a log's attribute field and store the parsed data back into another attribute field. The logs contain JSON strings detailing additional information about log events, and we want to make this data more accessible.

observIQ docs - Parse JSON - image 1

Here is a sample log entry:

JSON
1{
2  "level": "info",
3  "eventDetails": "{\"action\": \"login\", \"status\": \"success\"}"
4}

We want to parse the JSON string from the eventDetails attribute and store it as structured data within the log entry. The configuration for the Parse JSON Processor would be:

  • Condition: "attributes['eventDetails'] != nil"
  • Source Field Type: Attribute
  • Source Field: eventDetails
  • Target Field Type: Attribute
  • Target Field: parsedEventDetails

The resulting log entry after processing would be:

JSON
1{
2  "level": "info",
3  "eventDetails": "{\"action\": \"login\", \"status\": \"success\"}",
4  "parsedEventDetails": {
5    "action": "login",
6    "status": "success"
7  }
8}

This structured format makes it easier to filter and analyze the log data based on the action and status fields.