Mapping and enrichment functions - Data Transformation| Alibaba Cloud Documentation Center

This topic describes the syntax and parameters of mapping and enrichment functions. This topic also provides examples on how to use the functions.

Functions


Type	Function	Description
Field-based mapping	e_dict_map	Maps the value of a specified field to a field based on a dictionary, and then returns the value of the matched field.
Field-based mapping	e_table_map	Maps the value of a specified field to a row in a table, and then returns the value of the field in this row.
Search-based mapping	e_search_dict_map	Maps a search string to a key based on a dictionary, and then returns the value of the matched key.
Search-based mapping	e_search_table_map	Maps a search string to a column in a table, and then returns the value of the field in this column.

e_dict_map

Syntax

e_dict_map(data, field, output_field, case_insensitive=True, missing=None, mode="overwrite")

Parameters


Parameter	Type	Required	Description
data	Dict	Yes	The dictionary that is used for mapping. A dictionary includes a collection of key-value pairs. Each key must be a string.
field	String or string list	Yes	One or more field names. If the value of this parameter contains multiple field names, one of the following results is returned: The system maps the field names in sequence. If multiple log entries match the specified search condition and the mode parameter is set to overwrite, the system returns the last matched log entry. If no field matches the specified search condition, the system returns the value of the missing parameter.
output_field	String	Yes	The field name that you want to return.
case_insensitive	Bool	No	Specifies whether data is case-sensitive when the system maps the data. Default value: True. This value indicates that data is not case-sensitive. Note If multiple fields in the dictionary match the specified search condition and the case_insensitive parameter is set to True, the system selects the field that uses the same case as the key. If no key is found, the system randomly selects a field.
missing	String	No	The value that is returned if no fields are matched. Default value: None. This value indicates that no operations are performed. Note If the specified dictionary contains a mapping rule that returns the asterisk () wildcard and no fields are matched, the `missing` parameter is disabled. This is because the asterisk () wildcard has a higher priority than the `missing` parameter.
mode	String	No	The overwrite mode of the fields. Default value: overwrite. For more information, see Field check and overwrite modes.

Response
An event in which new fields and values are added is returned.

Examples

Example 1

Raw log entry:

data:  123
pro:  1

Transformation rule:

e_dict_map({"1": "TCP", "2": "UDP", "3": "HTTP", "*": "Unknown"}, "pro", "protocol")

Result:

data:  123
pro:  1
protocol:  TCP

Example 2

Raw log entries (three log entries):

status:  500

status:  400

status:  200

Transformation rule:

e_dict_map({"400": "Error", "200": "Success", "*": "Other"}, "status", "message")

Result:

status:  500
message:  Other

status:  400
message:  Error

status:  200
message:  Success

e_table_map

Syntax

e_table_map(data, field, output_fields, missing=None, mode="fill-auto")

Parameters


Parameter	Type	Required	Description
data	Table	Yes	The table that is used to map values in multiple columns. Note If you use a resource function, such as res_rds_mysql or res_log_logstore_pull, to pull data, we recommend that you set the primary_keys parameter to improve the performance of data transformation. For more information, see Resource functions.
field	String, string list, or tuple list	Yes	The source fields that are mapped to the specified table in an event. If no field is matched in the event, no operations are performed on the source fields.
output_fields	String, string list, or tuple list	Yes	The fields that are matched in the specified table.
missing	String	No	The value that is returned if no fields are matched. Default value: None. This value indicates that no operations are performed. If the source field is mapped to multiple columns, the value of the `missing` parameter can be a list of default values. The length of the list is the same as the length of the source field. Note If the specified table contains a mapping rule that returns the asterisk () wildcard and no fields are matched, the `missing` parameter is disabled. This occurs because the asterisk () wildcard has a higher priority than the `missing` parameter.
mode	String	No	The overwrite mode of the fields. Default value: fill-auto. For more information, see Field check and overwrite modes.

Response
An event in which new fields and values are added is returned.

Examples

Example 1: One field is returned.

Raw log entry:

data: 123
city: nj

Transformation rule:

e_table_map(tab_parse_csv("city,pop,province\nnj,800,js\nsh,2000,sh"), "city", "province")

Result:

data: 123
city: nj
province: js

Example 2: Two fields are returned.

Raw log entry:

data: 123
city: nj

Transformation rule:

e_table_map(tab_parse_csv("city,pop,province\nnj,800,js\nsh,2000,sh"), "city", ["province", "pop"])

Result:

data: 123
city: nj
province: js
pop: 800

Example 3: The sep parameter in the tab_parse_csv function is used.

Raw log entry:

data: 123
city: nj

Transformation rule:

e_table_map(tab_parse_csv("city#pop#province\nnj#800#js\nsh#2000#sh", sep='#'), "city", ["province", "pop"])

Result:

data: 123
city: nj
province: js
pop: 800

Example 4: The quote parameter in the tab_parse_csv function is used.

Raw log entry:

data: 123
city: nj

Transformation rule:

e_table_map(tab_parse_csv('city,pop,province\n|nj|,|800|,|js|\n|shang hai|,2000,|SHANG,HAI|', quote='|'), "city", ["province", "pop"])

Result:

data: 123
city: nj
province: js
pop: 800

Example 5: The value of the specified source field is different from the values of the fields in the specified table.
Raw log entry:
```
data: 123
cty: nj
```
Transformation rule:
```
e_table_map(tab_parse_csv("city,pop,province\nnj,800,js\nsh,2000,sh"), [("cty","city")], "province")
```
Result:
```
data: 123
cty: nj
province: js
```
Example 6: The value of the specified source field is different from the values of the fields in the specified table, and the specified output field is renamed.
Raw log entry:
```
data: 123
cty: nj
```
Transformation rule:
```
e_table_map(tab_parse_csv("city,pop,province\nnj,800,js\nsh,2000,sh"), [("cty","city")], [("province","pro")])
```
Result:
```
data: 123
cty: nj
pro: js
```

Example 7: Multiple source fields are specified.

Raw log entry:

data: 123
city: nj
pop: 800

Transformation rule:

e_table_map(tab_parse_csv("city,pop,province\nnj,800,js\nsh,2000,sh"), ["city", "pop"], "province")

Result:

data: 123
city: nj
pop: 800
province: js

Example 8: Multiple source fields are specified, and the values of the specified source fields are different from the values of the fields in the specified table.
Raw log entry:
```
data: 123
cty: nj
pp: 800
```
Transformation rule:
```
e_table_map(tab_parse_csv("city,pop,province\nnj,800,js\nsh,2000,sh"), [("cty", "city"), ("pp", "pop")], "province")
```
Result:
```
data: 123
cty: nj
pop: 800
province: js
```

e_search_dict_map

Syntax

e_search_dict_map(data, output_field, multi_match=False, multi_join=" ", missing=None, mode="overwrite")

Parameters


Parameter	Type	Required	Description
data	Dict	Yes	The dictionary that is used for mapping. A dictionary includes a collection of key-value pairs. Each key must be a search string. For more information about search strings, see the dct_get function.
output_field	String	Yes	The field name that you want to return.
multi_match	Bool	No	Specifies whether multiple matched fields can be returned. Default value: False. This value indicates that the system returns only the value of the first matched field. If you set the parameter to True, the system concatenates the values of multiple matched fields by using the character that is specified in the `multi_join` parameter.
multi_join	String	No	The character that is used to concatenate the values of multiple matched fields. The default value is a space character. This parameter is valid only when the multi_match parameter is set to True.
missing	String	No	The value that is returned if no fields are matched. Default value: None. This value indicates that no operations are performed. Note If the specified dictionary contains a mapping rule that returns the asterisk () wildcard and no fields are matched, the `missing` parameter is disabled. This occurs because the asterisk () wildcard has a higher priority than the `missing` parameter.
mode	String	No	The overwrite mode of the fields. Default value: overwrite. For more information, see Field check and overwrite modes.

Response
The matched values are returned.

Examples

Example 1: Data mapping in matching mode

Raw log entry:

data:123
pro:1

Transformation rule:

e_search_dict_map ({"pro==1": "TCP", "pro==2": "UDP", "pro==3": "HTTP"}, "protocol")

Result:

data:123
pro:1
protocol:TCP

Example 2: Data mapping based on the first character in the value of each field

Raw log entry:

status:200,300

Transformation rule:

e_search_dict_map ({"status:2??": "ok", "status:3??": "redirect", "status:4??": "auth", "status:5??": "server_error"}, "status_desc", multi_match=True, multi_join="test")

Result:

status:200,300
status_desc: ok test redirect

e_search_table_map

Syntax

e_search_table_map(data, inpt, output_fields, multi_match=False, multi_join=" ", missing=None, mode="fill-auto")

Parameters


Parameter	Type	Required	Description
data	Table	Yes	The table from which data is obtained. The name of a column in the table must be a search string.
inpt	String	Yes	The field names that match the search string in the specified table.
output_fields	String, string list, or tuple list	Yes	The fields that are matched in the specified table. The value of this parameter is a string, a string list, or a tuple list.
multi_match	Bool	No	Specifies whether multiple matched fields can be returned. Default value: False. This value indicates that the system returns only the value of the first matched field. If you set the parameter to True, the system concatenates the values of multiple matched fields by using the character that is specified in the `multi_join` parameter.
multi_join	String	No	The character that is used to concatenate the values of multiple matched fields. The default value is a space character. This parameter is valid only when the `multi_match` parameter is set to True.
missing	String	No	The value that is returned if no fields are matched. Default value: None. This value indicates that no operations are performed. Note If the specified table contains a mapping rule that returns the asterisk (``) wildcard and no fields are matched, the `missing` parameter is disabled. This is because the asterisk (``) wildcard has a higher priority than the `missing` parameter.
mode	String	No	The overwrite mode of the fields. Default value: fill-auto.

Source table


Column name	Type 1	Type 2
`content: guide and title:~"\w guide"'`	guide	user
`content: city and title:~"\w shanghai"`	food	home

Response
The matched values are returned.

Examples

Example 1: Data mapping in simple mode

Raw log entry:

  data: 123
  city: sh

Transformation rule:

e_search_table_map(tab_parse_csv("search,pop,province\ncity==nj,800,js\ncity==sh,2000,sh"), "search", ["pop", "province"])

Result:

data: 123
city: sh
province: sh
pop: 2000

Example 2: Data mapping in overwrite mode

Raw log entry:

data: 123
city: nj
province:

Transformation rule:

e_search_table_map(tab_parse_csv("search,pop,province\ncity==nj,800,js\ncity==sh,2000,sh"), "search", "province",mode="overwrite")

Result:

data: 123
city: nj
province: js

Example 3: Data mapping in missing mode when the table does not contain the province field

Raw log entry:

data: 123
city: wh
province:

Transformation rule:

e_search_table_map(tab_parse_csv("search,pop,province\ncity==nj,800,\ncity==sh,2000,sh"), "search", "province",missing="Unknown")

Result:

data: 123
city: wh
province: Unknown

Example 4: Data mapping in multi_match mode

Raw log entry:

data: 123
city: nj,sh
province:

Transformation rule:

e_search_table_map(tab_parse_csv("search,pop,province\ncity:nj,800,js\ncity:sh,2000,sh"), "search", "province",multi_match=True, multi_join=",")

Result:

data: 123
city: nj,sh
province: js,sh