All Products
Search
Document Center

Simple Log Service:Overview of global processing functions

Last Updated:Aug 11, 2023

This topic describes all global operation functions that are provided by Simple Log Service. The domain-specific language (DSL) for Simple Log Service provides approximately 30 global processing functions. You can use the functions to control the logic of data transformation.

The following table describes the global processing functions.

Category

Function

Description

Flow control functions

e_if

Performs an operation if a specified condition is met. You can specify multiple condition-operation pairs.

e_if_else

Performs an operation based on the evaluation result of a specified condition.

e_switch

Performs an operation if a specified condition is met and returns the result.

e_compose

Combines multiple operations and performs the operations in sequence.

Event processing functions

e_drop

Discards a log if a specified condition is met.

e_keep

Retains a log if a specified condition is met.

e_split

Splits a log into multiple logs based on the value of a specified field. You can also use JMESPath to extract the value of the field, and then split the log.

e_output

Writes a log to a specified Logstore. The subsequent transformation rules are not executed for the log.

e_coutput

Writes a log to a specified Logstore. The subsequent transformation rules are still executed for the log.

e_to_metric

Converts logs to metrics that can be stored in a Metricstore.

Field processing functions

v

Extracts the value of a field from a log.

e_set

Adds a field or specifies a new value for an existing field.

e_drop_fields

Discards the log fields that meet a specified condition.

e_keep_fields

Retains the log fields that meet a specified condition.

e_pack_fields

Packs log fields and assigns the log fields as a value to a new field.

e_rename

Renames the log fields that meet a specified condition.

Value extraction functions

e_regex

Extracts the value of a field by using a regular expression and assigns the value to other fields.

e_json

Performs operations on JSON objects in a specified field. You can configure the parameters to expand JSON data, extract JSON data by using JMESPath, or expand the extracted JSON data.

e_kv

Extracts key-value pairs from multiple input fields by using a specified quote.

e_kv_delimit

Extracts key-value pairs from input fields by using a specified delimiter.

e_csv

Extracts multiple fields by using a default delimiter. The default delimiter is a comma (,).

e_tsv

Extracts multiple fields by using a default delimiter. The default delimiter is a tab (\t).

e_psv

Extracts multiple fields by using a default delimiter. The default delimiter is a vertical bar (|).

e_syslogrfc

Calculates the values of the facility and severity fields and returns level information, which is indicated by the facilitylabel field. The function calculates the values based on the value of the priority field and the specified syslog protocol.

e_anchor

Extracts strings by using the rules specified by anchor_rules.

Mapping and enrichment functions

e_dict_map

Maps the value of an input field to a value in a specified data dictionary and returns a new field.

e_table_map

Maps the value of an input field to a row in a specified table and returns a new field.

e_tablestore_map

Enriches a raw log by using a data table in Tablestore as the dimension table.

e_redis_map

Enriches a raw log by using a data table in ApsaraDB for Redis as the dimension table.

e_search_dic_map

Searches the keywords in a specified data dictionary for a raw log field, maps the field to a value in the data dictionary, and returns a new field. The keywords must be query strings.

e_search_table_map

Searches a specified column in a specified table for a raw log field, maps the field to a row in the table, and returns a new field. The values of the column must be query strings.

Value-added content functions

e_threat_intelligence

Obtains threat intelligence for an IP address or a domain name that is specified by a log field and assigns the threat intelligence as a value to a specified field.