[pkg/ottl] Converter: MarshalKeyValue #35334
Labels
Comments
kuiperda
added
enhancement
|
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
I think key/value format is simple enough that providing a marshaler makes sense. Handling of nested elements can just be a documented caveat that they are rendered as strings. Users can always use the dedicated |
|
Hello, I would like to look at this issue! |
|
@odubajDT I am working on an implementation for this already. This issue is intended to gain consensus around a standard. |
|
Initial implementation added in #35409 |
|
Removing |
djaglowski
pushed a commit
that referenced
this issue
Oct 1, 2024
**Description:** <Describe what has changed.> <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> Implements ToKeyValueString OTTL Converter. **Link to tracking Issue:** #35334 **Testing:** Added unit tests and e2e **Documentation:** Added
|
Completed with #35409 |
jriguera
pushed a commit
to springernature/opentelemetry-collector-contrib
that referenced
this issue
Oct 4, 2024
**Description:** <Describe what has changed.> <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> Implements ToKeyValueString OTTL Converter. **Link to tracking Issue:** open-telemetry#35334 **Testing:** Added unit tests and e2e **Documentation:** Added
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Component(s)
pkg/ottl
Is your feature request related to a problem? Please describe.
Problem: Sending Windows Event Logs to QRadar
The recommended approach is to turn the event into key value pairs to put into the syslog rfc3164 message that QRadar expects and will automatically parse.
The current solution for this involves a long list of
setandconcatfuncs to manipulate the parsed record into Key Value format.Describe the solution you'd like
A simple MarshalKeyValue OTTL converter would take a
pcommon.Mapand convert it to astringof key value pairs with formatk=v k2=v2...It would be an inverse to the existing ParseKeyValue func. For detailed examples of behavior, see ParseKeyValue tests.
Note: There is some loss in the Parse func, i.e. trimming whitespace, removing wrapping
'and", and escaping".Marshal would persist this loss so composing the funcs would not be an exact inversion.
I would advocate for customizable delimiters with default being
=andMarshal would handle collisions with delimiters in the keys and values by wrapping the k/v in
"after escaping any unescaped"For nested maps and arrays, this simple case could automatically
flattenthem to the top level. But we may need to decide on a representation for nested maps and arrays and potentially allow customization of those symbols and delimiters as well. The other key consideration here is that Parse does not expect its input to be nested.Example
Simple example usage (Initially added as a processor in the Bindplane Agent)
Describe alternatives you've considered
Adding a processor that handles Key Value marshaling. An initial approach to this has already been added in the Bindplane Agent.
Additional context
No response
The text was updated successfully, but these errors were encountered: