diff --git a/content/en/observability_pipelines/processors/dedupe.md b/content/en/observability_pipelines/processors/dedupe.md index 8a7c97cc06a..e37ea647163 100644 --- a/content/en/observability_pipelines/processors/dedupe.md +++ b/content/en/observability_pipelines/processors/dedupe.md @@ -21,7 +21,7 @@ To set up the Deduplicate processor: 1. In the **Type of deduplication** dropdown menu, select whether you want to `Match` on or `Ignore` the fields specified below. - If `Match` is selected, then after a log passes through, future logs that have the same values for all of the fields you specify below are removed. - If `Ignore` is selected, then after a log passes through, future logs that have the same values for all of their fields, *except* the ones you specify below, are removed. -1. Enter the fields you want to match on, or ignore. At least one field is required, and you can specify a maximum of three fields. +1. Enter the fields you want to match on, or ignore. At least one field is required, and you can specify a maximum of three fields. - Use the path notation `.` to match subfields. See the [Path notation example](#path-notation-example) below. 1. Click **Add field** to add additional fields you want to filter on. @@ -38,23 +38,8 @@ The default cache size is 5,000 messages (recommended). The cached messages are ### Path notation example -For the following message structure: - -```json -{ - "outer_key": { - "inner_key": "inner_value", - "a": { - "double_inner_key": "double_inner_value", - "b": "b value" - }, - "c": "c value" - }, - "d": "d value" -} -``` - -- Use `outer_key.inner_key` to refer to the key with the value `inner_value`. -- Use `outer_key.inner_key.double_inner_key` to refer to the key with the value `double_inner_value`. +{{% observability_pipelines/path_notation %}} + +{{% observability_pipelines/path_notation_dots %}} [1]: /observability_pipelines/search_syntax/logs/ diff --git a/content/en/observability_pipelines/processors/edit_fields.md b/content/en/observability_pipelines/processors/edit_fields.md index c26c972f196..68d7e2c935a 100644 --- a/content/en/observability_pipelines/processors/edit_fields.md +++ b/content/en/observability_pipelines/processors/edit_fields.md @@ -50,24 +50,9 @@ To set up the rename field processor: ### Path notation example {#path-notation-example-remap} - For the following message structure: - -```json -{ - "outer_key": { - "inner_key": "inner_value", - "a": { - "double_inner_key": "double_inner_value", - "b": "b value" - }, - "c": "c value" - }, - "d": "d value" -} -``` - -- Use `outer_key.inner_key` to see the key with the value `inner_value`. -- Use `outer_key.inner_key.double_inner_key` to see the key with the value `double_inner_value`. +{{% observability_pipelines/path_notation %}} + +{{% observability_pipelines/path_notation_dots %}} [1]: /observability_pipelines/guide/remap_reserved_attributes [2]: /observability_pipelines/search_syntax/logs/ diff --git a/content/en/observability_pipelines/processors/parse_xml.md b/content/en/observability_pipelines/processors/parse_xml.md index afeed8498b8..d01fb4559d2 100644 --- a/content/en/observability_pipelines/processors/parse_xml.md +++ b/content/en/observability_pipelines/processors/parse_xml.md @@ -56,24 +56,9 @@ To set up this processor: ### Path notation example {#path-notation-example-parse-xml} -For the following message structure: +{{% observability_pipelines/path_notation %}} -```json -{ - "outer_key": { - "inner_key": "inner_value", - "a": { - "double_inner_key": "double_inner_value", - "b": "b value" - }, - "c": "c value" - }, - "d": "d value" -} -``` - -- Use `outer_key.inner_key` to see the key with the value `inner_value`. -- Use `outer_key.inner_key.double_inner_key` to see the key with the value `double_inner_value`. +{{% observability_pipelines/path_notation_dots %}} ### Always use text key example diff --git a/content/en/observability_pipelines/processors/sensitive_data_scanner.md b/content/en/observability_pipelines/processors/sensitive_data_scanner.md index fac8b8d309a..e8253f8b516 100644 --- a/content/en/observability_pipelines/processors/sensitive_data_scanner.md +++ b/content/en/observability_pipelines/processors/sensitive_data_scanner.md @@ -91,24 +91,9 @@ After adding scanning rules from the library, you can edit each rule separately ### Path notation example - For the following message structure: - -```json -{ - "outer_key": { - "inner_key": "inner_value", - "a": { - "double_inner_key": "double_inner_value", - "b": "b value" - }, - "c": "c value" - }, - "d": "d value" -} -``` +{{% observability_pipelines/path_notation %}} -- Use `outer_key.inner_key` to refer to the key with the value `inner_value`. -- Use `outer_key.inner_key.double_inner_key` to refer to the key with the value `double_inner_value`. +{{% observability_pipelines/path_notation_dots %}} ## Set up the processor using Terraform diff --git a/content/en/observability_pipelines/processors/split_array.md b/content/en/observability_pipelines/processors/split_array.md index 835e66685dc..a3f2a141c02 100644 --- a/content/en/observability_pipelines/processors/split_array.md +++ b/content/en/observability_pipelines/processors/split_array.md @@ -142,23 +142,8 @@ If the processor is splitting the arrays `"message.myfield.firstarray"` and `"se ### Path notation example {#path-notation-example-split-array} -For the following message structure: +{{% observability_pipelines/path_notation %}} -```json -{ - "outer_key": { - "inner_key": "inner_value", - "a": { - "double_inner_key": "double_inner_value", - "b": "b value" - }, - "c": "c value" - }, - "d": "d value" -} -``` - -- Use `outer_key.inner_key` to refer to the key with the value `inner_value`. -- Use `outer_key.inner_key.double_inner_key` to refer to the key with the value `double_inner_value`. +{{% observability_pipelines/path_notation_dots %}} [1]: /observability_pipelines/search_syntax/logs/ diff --git a/content/en/observability_pipelines/search_syntax/logs.md b/content/en/observability_pipelines/search_syntax/logs.md index 90595f1fd20..9c44bf6a7bc 100644 --- a/content/en/observability_pipelines/search_syntax/logs.md +++ b/content/en/observability_pipelines/search_syntax/logs.md @@ -99,26 +99,9 @@ Here are some attribute search syntax examples and logs that match the syntax: #### Path notation -To understand path notation, let's look at the following log structure: +{{% observability_pipelines/path_notation %}} -```json -{ - "outer_key": { - "inner_key": "inner_value", - "a": { - "double_inner_key": "double_inner_value", - "b": "b value" - }, - "c": "c value" - }, - "d": "d value" -} -``` -In this example, use the following reference rules: -- Use `outer_key.inner_key` to reference the key with the value `inner_value`. -- Use `outer_key.a.double_inner_key` to reference the key with the value `double_inner_value`. - -If you want to search for a literal `.` in the attribute key, wrap the key in escaped quotes in the search query. For example, the search query `"service.status":disabled` matches the event `{"service.status": "disabled"}`. +If you want the query to search for a literal `.` in the attribute key, wrap the key in escaped quotes in the search query. For example, the search query `"service.status":disabled` matches the event `{"service.status": "disabled"}`. ### Arrays diff --git a/layouts/shortcodes/observability_pipelines/path_notation.en.md b/layouts/shortcodes/observability_pipelines/path_notation.en.md new file mode 100644 index 00000000000..02d9ddedafc --- /dev/null +++ b/layouts/shortcodes/observability_pipelines/path_notation.en.md @@ -0,0 +1,19 @@ +For this log structure example: + +```json +{ + "outer_key": { + "inner_key": "inner_value", + "a": { + "double_inner_key": "double_inner_value", + "b": "b value" + }, + "c": "c value" + }, + "d": "d value" +} +``` + +Follow these reference rules: +- Use `outer_key.inner_key` to reference the key with the value `inner_value`. +- Use `outer_key.a.double_inner_key` to reference the key with the value `double_inner_value`. diff --git a/layouts/shortcodes/observability_pipelines/path_notation_dots.en.md b/layouts/shortcodes/observability_pipelines/path_notation_dots.en.md new file mode 100644 index 00000000000..92c8a87563f --- /dev/null +++ b/layouts/shortcodes/observability_pipelines/path_notation_dots.en.md @@ -0,0 +1 @@ +To specify a nested field with a literal `.` in the attribute key, wrap the key in escaped quotes in the search query. For example, the search query `"service.status":disabled` matches the event `{"service.status": "disabled"}`.