This topic describes the syntax of field processing functions and provides parameter description and function examples.

Functions

Type Function Description
Field processing e_drop_fields Deletes the fields that meet a specified condition.
e_keep_fields Retains the fields that meet a specified condition.
e_rename Renames the fields that meet a specified condition.

e_drop_fields

  • Syntax 
    e_drop_fields(String, ...)
  • Parameters
    Parameter Type Required? Description
    String String Yes The regular expression that specifies the fields to delete. The fields that fully match the regular expression are deleted. The fields that do not fully match the regular expression are retained.
  • Example: If the value of the content field is 123, the content and age fields are deleted.
    Raw log: 
    age:  18
content:  123
name: twiss
    Processing rule: 
    e_if(e_search("content==123"), e_drop_fields("content|age"))
# Equivalent to:
e_if(..., e_drop_fields("content", "age"))
    Processing result: 
    name: twiss

e_keep_fields

  • Syntax 
    e_keep_fields(String, ...)
  • Parameters
    Parameter Type Required? Description
    String String Yes The regular expression that specifies the fields to retain. The fields that fully match the regular expression are retained. The fields that do not fully match the regular expression are deleted.
  • Example: If the value of the content field is 123, the content and age fields are retained.
    Raw log: 
    age:  18
content:  123
name: twiss
    Processing rule: 
    e_if(e_search("content==123"), e_keep_fields("content", "age"))
    Processing result: 
    age:  18
content:  123
Note Log Service provides some built-in meta-fields, such as __time__ and __topic__. If you do not specify the __time__ field in the list of fields to retain when you call the e_keep_fields function, the time of the event is reset to the current time. If you do not want to reset the value of a meta-field, add the meta-field to the list of fields to retain. A common parameter list of the e_keep_fields function is as follows: F_TIME, F_META, F_TAGS, "f1", "f2".

e_rename

  • Syntax 
    e_rename("String 1", "New field name 1", "String 2", "New field name 2", ...)
    Note The String and New field name parameters must appear in pairs.
  • Parameters
    Parameter Type Required? Description
    String String Yes The regular expression that specifies the field to rename. Only a field that fully matches the regular expression is renamed.
    New field name String Yes The new field name.
  • Response

    The event with the renamed fields is returned.

  • Examples
    • Example 1
      Raw log: 
      host:  1006
      Processing rule: 
      e_rename("host","client_host")
      Processing result: 
      client_host:  1006
    • Example 2
      Raw logs: 
      __topic__: access
ret: 100
      __topic__: access
return: 200
      Processing rule: 
      e_rename(r"ret|return", "Return")
      Processing result: 
      __topic__: access
Return: 100
      __topic__: access
Return: 200