Skip to content

[receiver/windowseventlogreceiver] Use a map for event_data #46034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
strawgate wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[receiver/windowseventlogreceiver] Use a map for event_data #46034

strawgate wants to merge 2 commits into from
+205 −46

Conversation

@strawgate
Copy link
Contributor

@strawgate strawgate commented Feb 11, 2026
edited
Loading

Description

Changes the event_data format from an array of single-key maps (which is extremely difficult to work with in OTTL) to a flat map , making fields directly accessible via OTTL.

Before:

{
  "event_data": {
    "data": [
      {"ProcessId": "7924"},
      {"Application": "app.exe"},
      {"": "anonymous_value"}
    ]
  }
}

After:

{
  "event_data": {
    "ProcessId": "7924",
    "Application": "app.exe",
    "Data1": "anonymous_value"
  }
}
  • Named <Data> elements become direct keys
  • Anonymous <Data> elements get numbered keys (Data1, Data2, etc.)
  • Fields now directly accessible: body["event_data"]["ProcessId"]

For Windows logs, any given log has either named elements or anonymous elements, which avoids typical key conflicts.

Link to tracking issue

Fixes #42565 and #32952

Testing

Unit tests updated. To test manually on Windows:

  1. Build collector with changes
  2. Configure receiver with raw: false (default)
  3. Generate Windows events and verify event_data fields are flat keys

Note: Only applies when raw=false. When raw=true, body is XML string.

Documentation

Updated readme and added changelog

@strawgate strawgate changed the title Initial commit Use a map for event_data from Windowseventlogreceiver Feb 11, 2026
@github-actions github-actions bot requested a review from armstrmi February 11, 2026 20:58
@strawgate strawgate changed the title Use a map for event_data from Windowseventlogreceiver [receiver/Windowseventlogreceiver] Use a map for event_data Feb 11, 2026
@strawgate strawgate changed the title [receiver/Windowseventlogreceiver] Use a map for event_data [receiver/windowseventlogreceiver] Use a map for event_data Feb 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pjanotti pjanotti Awaiting requested review from pjanotti pjanotti is a code owner

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel andrzej-stencel is a code owner

@armstrmi armstrmi Awaiting requested review from armstrmi

At least 1 approving review is required to merge this pull request.

Assignees

@MovieStoreGuy MovieStoreGuy

Labels

pkg/stanza receiver/windowseventlog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve Windows event_data format

2 participants

@strawgate @MovieStoreGuy