Log Service provides the domain-specific language (DSL) to construct global processing functions that can be used as steps in a data transformation rule.
The following table describes the global processing functions.
| Type | Function | Description |
|---|---|---|
| Flow control functions | e_if |
Performs an operation if a condition is met. Multiple condition-operation pairs can be specified. |
e_if_else |
Performs an operation based on the evaluation result of a condition. | |
e_switch |
Performs an operation if a condition is met and returns a result. | |
e_compose |
Combines multiple operations. | |
| Event processing functions | e_drop |
Deletes an event if a condition is met. |
e_keep |
Retains an event if a condition is met. | |
e_split |
Splits the value of a specified field into multiple events. | |
e_output |
Writes an event to a specified destination Logstore. The event is deleted after it is written to the destination Logstore. | |
e_coutput |
Writes an event to a specified destination Logstore. The event is retained after it is written to the destination Logstore. | |
e_to_metric |
Converts log data to time series data that can be stored in a Metricstore. | |
| Field processing functions | v |
Extracts the value of a field. |
e_set |
Adds a field or specifies a new value for an existing field. | |
e_drop_fields |
Deletes the fields that meet a specified condition. | |
e_keep_fields |
Retains the fields that meet a specified condition. | |
e_pack_fields |
Encapsulates specified log fields, and then assigns the log fields as a value to a new field. | |
e_rename |
Renames the fields that meet a specified condition. | |
| Value extraction functions | e_regex |
Extracts the value of a field by using a regular expression. |
e_json |
Expands or extracts JSON objects. | |
e_kv |
Extracts key-value pairs. | |
e_kv_delimit |
Extracts key-value pairs by using delimiters. | |
e_csv |
Extracts values by using a delimiter. The default delimiter is a comma (,). | |
e_tsv |
Extracts values by using a delimiter. The default delimiter is a tab (\t). | |
e_psv |
Extracts values by using a delimiter. The default delimiter is a vertical bar (|).
|
|
e_syslogrfc |
Extracts field values based on the syslog protocol. | |
e_anchor |
Extracts the value between the specified start and end positions. | |
| Mapping and enrichment functions | e_dict_map |
Maps an event based on a dictionary. |
e_table_map |
Maps an event based on a table. | |
e_search_map |
Maps an event based on a search string. | |
| Value-added content functions | e_threat_intelligence |
Obtains threat intelligence. |