Using DataPrime to enrich and reshape data
Goal
By the end of this guide you should be able to enrich documents using lookup tables, extract structured values from strings, parse key-value pairs, and explode arrays into separate documents.
Why it matters
Data in logs and traces is often messy, inconsistent, or incomplete. You may need to add metadata, normalize fields across schemas, parse semi-structured text, or reshape arrays into flat rows for easier analysis. DataPrime lets you do all of this at query time, without needing to preprocess or re-index.
These transformations are essential for debugging, auditing, and building clean, meaningful dashboards—even when your logs aren’t clean.
Enrich documents with lookup metadata
Description
The enrich command allows you to decorate your logs with metadata from an external lookup table. This is useful for adding human-readable context such as names, departments, or team ownership—based on fields like userid, ip, or cluster_id.
Syntax
lookup_value: The field in the document used as a lookup key.target_field: The new key where enriched data will be stored.lookup_table: The name of the custom enrichment table.
Example
Sample data
Lookup table: user_lookup_table
| ID | Name | Department |
|---|---|---|
| 111 | John | Finance |
| 222 | Emily | IT |
Query
Result
This query appends the relevant row from the lookup table as an object under user_info, creating a dynamic join on read.
Extract structured data from strings (extract + regexp)
Description
The extract command paired with the regexp extraction strategy allows you to pull structured values from text strings. It's ideal for turning loosely formatted logs into something queryable.
Syntax
Example
Sample data
Query
Result
Now you can filter, count, or visualize by parsed.username, rather than relying on full-text search.
Parse key-value strings into objects (extract + kv)
Description
The kv strategy for extract is ideal for parsing structured fields that follow key-value formatting (e.g., logfmt, URL query strings). It creates an object with separate keys for each parsed item.
Syntax
Note
kv is only one of several extractor functions. Choose the one that best serves your use case.
Example
Sample data
Query
Result
You can now access query_params.user and query_params.env directly in filters, visualizations, or enrichments.
Explode arrays into multiple documents (explode)
Description
The explode command transforms a document with an array field into multiple documents, one per array element. This makes it easier to count, filter, or group by individual values inside arrays.
Syntax
original preserve: Retains all original fields in each new document.original discard: Only includes the exploded value in each new document.
Example
Sample data
Query
Result
{ "userid": "1", "scope": "read", "scopes": ["read", "write"] }
{ "userid": "1", "scope": "write", "scopes": ["read", "write"] }
Each document now contains a single scope value, while keeping the original context (userid, scopes).
Common pitfalls or gotchas
enrichonly works if your lookup key is a string—cast it if needed.extractusingregexpwill returnnullif the pattern doesn't match.kvextraction assumes consistent formatting—watch for missing delimiters or malformed strings.explodeoverwrites destination fields if names collide—rename carefully.