This topic describes the syntax and parameters of event check functions. This topic also provides examples on how to use the functions.

Functions

Type Function Description
Basic functions e_has Checks whether a field exists.
e_not_has Checks whether a field does not exist.
Expression functions e_search Searches for an event by using Lucene-like query syntax.
e_match* The following functions are used to match data: e_match, e_match_all, and e_match_any. Checks whether the value of a field in an event meets the conditions specified in an expression.
The following table describes the expression functions that you can use together with event check functions.
Type Function Description
Logical functions op_and Invokes the AND operation.
op_or Invokes the OR operation.
op_not Invokes the NOT operation.
op_nullif Checks whether the values of two expressions are equal.
op_ifnull Returns the value of the first expression whose value is not None.
op_coalesce Returns the value of the first expression whose value is not None.

e_has

  • Syntax
    e_has("field name")
  • Parameters
    Parameter Type Required Description
    field name String Yes The name of a field in an event.
  • Response

    If the specified field exists, True is returned. Otherwise, False is returned.

  • Example
    Check whether an event contains the content field. If the event contains the content field, the event is retained. Otherwise, the event is dropped.
    • Raw log entry:
      content: 123
    • Transformation rule:
      e_keep(e_has("content"))
    • Result:
      content: 123

e_not_has

  • Syntax
    e_not_has("key")
  • Parameters
    Parameter Type Required Description
    key String Yes The name of a field in an event.
  • Response

    If the specified field does not exist, True is returned. Otherwise, False is returned.

  • Example

    Check whether an event contains the content field. If the event does not contain the content field, the event is retained. Otherwise, the event is dropped.

    • Raw log entry:
      content: 123
    • Transformation rule:
      e_if_else(e_not_has("content"),KEEP,DROP)
    • Result:

      The event is dropped.

e_search

  • Syntax
    e_search(Query string)
  • Parameters
    Parameter Type Required Description
    Query string String Yes The string that you want to use to filter log data and simplify data transformation. For more information, see Query string syntax.
  • Response

    If the specified conditions are met, True is returned. Otherwise, False is returned.

  • Example
    # Full-text search
    e_search("active error")   # Search for multiple substrings in full text. The substrings are associated with each other by using the logical operator OR. 
    e_search('"active error"')   # Search for a substring in full text. 
    
    # Field search
    e_search("status: active")   # Search for a substring in a specified field. 
    e_search('author: "john smith"') # Search for a substring that contains a space character in a specified field. 
    e_search('field: active error')   # Search the specified field for the substring "active" or searches all logs for the substring "error". The query string in this example is equivalent to field:active OR "error". 
    
    # Exact match
    e_search('author== "john smith"')  
    
    # Search for field values by using wildcard characters. You can use an asterisk (*) to match zero or more characters. You can use a question mark (?) to match one character. 
    e_search("status: active * test")   # active*test contains one asterisk (*). You do not need to enclose the value in double quotation marks (""). 
    e_search("status: active?good")    # active?good contains one question mark (?). You do not need to enclose the value in double quotation marks (""). 
    e_search("status== ac*tive?good")   # The query string is used for exact match. 
    
    # Escape special characters in a field value. Asterisks (*) or question marks (?) that are not used as wildcards must be escaped in a field value by using backslashes (\). 
    e_search('status: "\*\?()[]:="')  # \*\?()[]:= contains multiple special characters. You must enclose the value in double quotation marks (""). The asterisks (*), question marks (?), and backslashes (\) in the value are escaped. 
    e_search("status: active\* test")   # active\*test contains one asterisk (*). You do not need to enclose the value in double quotation marks (""). 
    e_search("status: active\?test")  # active\?test contains one question mark (?). You do not need to enclose the value in double quotation marks (""). 
    
    # Escape special characters in a field name
    e_search("\*\(1+1\)\?: abc")   # You cannot enclose the field name in double quotation marks (""). You must escape special characters by using backslashes (\). 
    e_search("__tag__\:__container_name__: abc")   # You must escape special characters by using backslashes (\). 
    e_search("field name in Chinese: abc")                      # Enter the Chinese characters that comprise the field name. 
    
    # Search for strings by using regular expressions.
    e_search('content~="regular expression"')   # Search for substrings that match the regular expression. 
    
    # Numeric value comparison
    e_search('count: [100, 200]')   # >=100 and <=200
    e_search('count: [*, 200]')     # <=200
    e_search('count: [200, *]')     # >=200
    e_search('age >= 18')           # >= 18
    e_search('age > 18')            # > 18
    
    # Relational operators
    e_search("abc OR xyz")   # The relational operator is case-insensitive. 
    e_search("abc and (xyz or zzz)")
    e_search("abc and not (xyz and not zzz)")
    e_search("abc && xyz")    # and
    e_search("abc || xyz")    # or
    e_search("abc || !xyz")   # or not

e_match*

  • Syntax
    e_match(field name, regular expression, full=True)
    e_match_all(field name 1, regular expression 1, field name 2, regular expression 2, ..., full=True)
    e_match_any(field name 1, regular expression 1, field name 2, regular expression 2, ..., full=True)
    Note
    • The field name and regular expression parameters must be specified in pairs.
    • In most cases, the e_match function is used together with the op_not, op_and, or op_or function.
  • Parameters
    Parameter Type Required Description
    field name String Yes The name of a field. If the specified field does not exist, the condition that is specified for the field is not met.

    For example, if the f1 field does not exist, the e_match("f1", ...) function returns False.

    regular expression String Yes The regular expression that you want to use to match strings. If you want to match strings by using exact strings, you can use the str_regex_escape function to convert regular expressions.
    full Bool No Specifies whether to perform an exact match. By default, the parameter is set to True, which specifies an exact match. For more information, see Regular expressions.
  • Response
    If the specified field matches the regular expression, True is returned. Otherwise, False is returned.
    Note
    • e_match_any: If one or more specified fields match the regular expression, True is returned. Otherwise, False is returned.
    • e_match_all: If all specified fields match the regular expression, True is returned. Otherwise, False is returned.
  • Examples
    • Example 1
      Perform an exact match by using the e_match function.
      • Raw log entry:
        k1: 123
      • Transformation rule:
        e_set("match",e_match("k1",r'\d+'))
      • Result:
        k1: 123
        match: True
    • Example 2
      Perform an exact match by using the e_match_all function.
      • Raw log entry:
        k1: 123
        k2: abc
        k3: abc123
      • Transformation rule:
        e_set("match",e_match_all('k1', r'\d+', 'k4', '.+'))
      • Result:
        k1: 123
        k2: abc
        k3: abc123
        match: False
      Note You can use the e_match_any and e_match_all functions in a similar manner.