This topic describes the syntax and parameters of the value assignment function. This topic also provides examples on how to use the function.

e_set

You can use the e_set function to add a field or to specify a new value for an existing field.
  • Syntax 
    e_set(key1, value1, key2, value2, mode="overwrite")
    Notice
    • The key1 and value1 parameters must be specified in pairs.
    • If you use the e_set function to specify a value for a time field, such as F_TIME or __time__, the value must be a numeric string. 
      e_set(F_TIME, "abc")   # Invalid syntax.
e_set(F_TIME, "12345678")   # Valid syntax.
  • Parameters
    Parameter Type Required Description
    key String Yes The name of a log field. You can set this parameter to an expression that is used to return a string. For more information about how to specify special field names, see Event structure and fields.
    value Arbitrary Yes The new value of a specified field. If the value of this parameter is not a string, the function automatically converts the value to a string. For example, if you set this parameter to a value of the tuple, list, or dictionary type, the function automatically converts the value to a JSON string. For more information about the conversion rule of strings, see Automatic type conversion during assignment.
    Note If you set this parameter to None, the function does not update the original value of the specified field.
    mode String No The overwrite mode of fields. Default value: overwrite. For more information, see Field check and overwrite modes.
  • Response

    The updated log entry is returned.

  • Examples
    • Example 1: Assign a fixed value to a field.
      Add a new field named city and set the value to Shanghai. 
      e_set("city", "Shanghai")
    • Example 2: Extract the value of an existing field, and then assign the value to another field.
      Call an expression function to extract the value of an existing field named ret, and then assign the value to a new field named result. 
      e_set("result", v("ret"))
    • Example 3: Assign a dynamic value to a field.
      Call multiple expression functions in sequence to obtain the value in lowercase of the first field from specified existing fields and specify the value for the result field. 
      e_set("result", str_lower(v("ret", "return")))
    • Example 4: Specify a value for a field multiple times.
      1. Specify a fixed value for the event_type field. 
        e_set("event_type", "login event", "event_info", "login host")
      2. If the value of the ret field is fail, set the event_type field to login failed event. 
        e_if(e_search('ret==fail'), e_set("event_type", "login failed event" ))