Monad Transforms Reference

Transforms are the processing engine of Monad pipelines. They filter, normalize, enrich, and reshape data between input and output.

Technical Foundation

Monad transforms use GJSON and SJSON packages for JSON traversal and manipulation.

  • GJSON - Query/read JSON paths

  • SJSON - Modify/write JSON values

Test GJSON paths at: gjson.dev

Transform Types

Add

Add a new key-value pair to the record.

{
  "operation": "add",
  "arguments": {
    "key": "source_system",
    "value": "ise-radius"
  }
}

Input:

{"user": "jdoe", "result": "pass"}

Output:

{"user": "jdoe", "result": "pass", "source_system": "ise-radius"}

Timestamp

Append current UTC time in specified format.

{
  "operation": "timestamp",
  "arguments": {
    "key": "ingestion_time",
    "format": "rfc3339"
  }
}

Supported Formats:

Format Example

rfc3339

2026-03-18T12:34:56Z

iso8601

2026-03-18T12:34:56.000Z

unix

1742301296 (seconds)

unix_milli

1742301296000 (milliseconds)

unix_nano

1742301296000000000 (nanoseconds)

Flatten

Flatten a specific nested map or array into flat key-value pairs.

{
  "operation": "flatten",
  "arguments": {
    "key": "nested_data",
    "base": "flat",
    "delimiter": "_"
  }
}

Input:

{
  "nested_data": {
    "level1": {
      "level2": "value"
    }
  }
}

Output:

{
  "flat_level1_level2": "value"
}

Flatten All

Flatten the entire JSON document into a single-level structure.

{
  "operation": "flatten_all",
  "arguments": {
    "delimiter": "_"
  }
}

  • Nested objects: address.cityaddress_city

  • Arrays: contacts[0].typecontacts_0_type

  • Null values preserved

  • Applied to entire document

For (Loop)

Apply transformations to each element of an array.

{
  "operation": "for",
  "arguments": {
    "key": "items",
    "transforms": [
      {
        "operation": "add",
        "arguments": {"key": "processed", "value": true}
      },
      {
        "operation": "rename",
        "arguments": {"from": "name", "to": "item_name"}
      }
    ]
  }
}

  • Transforms execute sequentially on each array element

  • Array structure preserved

  • Useful for normalizing nested collections

JQ Transform

Full jq query syntax for complex data manipulation.

{
  "operation": "jq",
  "arguments": {
    "query": ".user | ascii_downcase",
    "key": "normalized_user"
  }
}

Two Output Modes

Direct Output (no key): Query result becomes entire output

{
  "operation": "jq",
  "arguments": {
    "query": "{user: .username, ip: .source_ip}"
  }
}

Key Storage (with key): Result stored at specified path

{
  "operation": "jq",
  "arguments": {
    "query": ".events | length",
    "key": "event_count"
  }
}

Common jq Operations

Operation Example

Filter

select(.severity == "critical")

Reshape

{id, name, email: .contact.email}

Delete fields

del(.password, .ssn)

Array ops

map, add, length

String ops

split, join, ascii_downcase

Math

add, .price * 1.1

Trial Limitation: jq transforms may require full license. Trial accounts limited to GJSON-based transforms.

Rename Key

Rename a field.

{
  "operation": "rename",
  "arguments": {
    "from": "src_ip",
    "to": "source_ip"
  }
}

Drop Key

Remove a field from the record.

{
  "operation": "drop_key",
  "arguments": {
    "key": "debug_info"
  }
}

Drop Record Where Value Equal

Filter out (discard) records matching a condition.

{
  "operation": "drop_record_where_value_equal",
  "arguments": {
    "key": "event_type",
    "value": "heartbeat"
  }
}

Use this to filter out noise before it reaches outputs.

Convert Timestamp

Convert existing timestamp to different format.

{
  "operation": "convert_timestamp",
  "arguments": {
    "key": "event_time",
    "from_format": "unix",
    "to_format": "rfc3339"
  }
}

Mutate Value Where Key Equal

Conditionally modify field values.

{
  "operation": "mutate_value_where_key_equal",
  "arguments": {
    "key": "status",
    "match_value": "PASS",
    "new_value": "success"
  }
}

Mutate Type

Change the data type of a field.

{
  "operation": "mutate_type",
  "arguments": {
    "key": "port",
    "type": "integer"
  }
}

Add Identifier

Add a unique identifier (UUID) to each record.

{
  "operation": "add_identifier",
  "arguments": {
    "key": "record_id"
  }
}

Duplicate Key Value to Key

Copy a value to create a new field.

{
  "operation": "duplicate_key_value_to_key",
  "arguments": {
    "source_key": "user",
    "destination_key": "original_user"
  }
}

GJSON Path Syntax

Used in transform key arguments and routing conditions.

Basic Access

Path Description

.name

Direct field access

.user.email

Nested field

.items.0

Array index (0-based)

.items.#

Array length

Wildcards and Queries

Path Description

.items.*.name

All name fields in array

.items.(status=="active")

Filter array elements

.items.(age>30).name

Filter then extract

Comparison Operators

Operator Meaning

==

Equal

!=

Not equal

<

Less than

Less than or equal

>

Greater than

>=

Greater than or equal

%

Pattern match (like)

Transform Chaining

Transforms execute in pipeline order. Common patterns:

Transform Chain Pattern

Normalize → Filter → Enrich

  1. Flatten - Normalize nested structure

  2. Rename - Standardize field names

  3. Drop Record - Filter out noise

  4. Timestamp - Add ingestion time

  5. Add - Tag with source system

ISE Log Processing Example

[
  {"operation": "flatten_all", "arguments": {"delimiter": "_"}},
  {"operation": "rename", "arguments": {"from": "UserName", "to": "user"}},
  {"operation": "rename", "arguments": {"from": "NAS-IP-Address", "to": "switch_ip"}},
  {"operation": "drop_record_where_value_equal", "arguments": {"key": "event_type", "value": "accounting_interim"}},
  {"operation": "timestamp", "arguments": {"key": "monad_ingest_time", "format": "rfc3339"}},
  {"operation": "add", "arguments": {"key": "log_source", "value": "ise-radius"}}
]

Related