search
Log in|Playground

Log Parsing with OpenTelemetry Pipelines

Configure custom log transformations in groundcover using OpenTelemetry Transformation Language (OTTL). Tailor your logs with structured pipelines for parsing, filtering, and enriching data before ing

hashtag
Overview

groundcover supports the configuration of log pipelines using OpenTelemetry Transformation Language (OTTL) to process and customize your logs. With OTTL, you gain full flexibility to transform data as it flows into the platform.

hashtag
Transforming Data with OTTL

groundcover uses OTTL to enrich and shape log data inside your monitored environments. OTTL pipelines give you a structured way to parse, filter, and modify logs before ingestion.

Each pipeline is made up of transformation steps—each step defines a specific operation (like parsing JSON, extracting key-value pairs, or modifying attributes). You can configure these transformations directly in your groundcover deployment.

To test your logic before going live, we recommend using our Parsing Playground (click the top right corner when viewing a specific log).

hashtag
Required Attributes

To define an OTTL pipeline, make sure to include the following fields:

  • statements – List of transformations to apply.

  • conditions – Logic for when the rule should trigger.

  • statementsErrorMode – How to handle errors (e.g., skip, fail).

  • conditionLogicOperator – Used when you define multiple conditions.

hashtag
Deploying OTTL in groundcover

Rules are defined as a list of steps which are executed one after another. The rules can be viewed and edited by admins in the settings tab, under "Pipelines".

The rules run in groundcover's sensors. This is ideal for cost savings, as the original logs are not sent to or stored in the backend. This is useful particularly when the pipeline is used to drop logs.

circle-info

For the rules to take place, groundcover sensors need to be configured with Ingestion Keys that allow them to pull remote configuration from the Fleet Manager.

The pipeline is stored in yaml format and can be edited in the UI. The result yaml can be exported to be used with groundcover's terraform provider, if you prefer to use a version control system (e.g. git). Notice that the pipeline is a singleton resource, so your terraform script must only define a single one.

circle-info

Each rule must have a unique and non-empty ruleName

circle-exclamation

The logs pipeline was previously editable using helm values. Rules that exist in the sensor's values are executed prior to the ones received via remoute configuration, and will not be visible in UI.

Editing the pipeline in sensor's values will be removed in the future, in favor of the UI and terraform.

hashtag
Example Structure

hashtag
Setting Conditions

Use conditions to apply transformations only when specific attributes match. This ensures your pipeline runs efficiently and only on relevant logs.

Common fields you can use:

  • workload – Name of the service or app.

  • container_name – Container where the log originated.

  • level – Log severity (e.g., info, error).

  • format – Log format (e.g., JSON, CLF, unknown).

hashtag
Writing OTTL Statements

Some commonly used functions in groundcover:

  • ExtractGrokPatterns

  • ParseJSON

  • Replace_pattern

  • Delete_key

  • ToLowerCase

  • Concat

  • ParseKeyValue

hashtag
Examples

hashtag
Simple GROK Pattern Extraction

hashtag
Log

hashtag
Statements

hashtag
Results

hashtag
Grok + Replace + ParseKeyValue

hashtag
Log

hashtag
Statements

hashtag
Results

hashtag
Grok + ToLowerCase + ParseJSON

hashtag
Log

hashtag
Statements

hashtag
Results

Last updated