To send a log entry to different storage targets with different field sets, use the following example transformation rule. In this example, the fields in the raw log entry are f1, f2, f3, f4, and f5. The f1 and f2 fields are dropped when the raw log entry is sent to storage target 1. The f3 and f4 fields are dropped when the raw log entry is sent to storage target 2.
  • Raw log entry:
    __time__ : 1591754815
    f1: GET
    f2: https
    f3: aliyun
    f4: 200
    f5: standard
  • Transformation rule:
    e_set("tag", "target1, target2")
    e_split("tag")
    e_if(e_search("tag==target1"), e_compose(e_drop_fields("f1", "f2", regex=False), e_output("target1")))
    e_drop_fields("f3", "f4", regex=False)
    e_output("target2")
  • Result:
    • Storage target 1:
      __time__ : 1591754815
      f3: aliyun
      f4: 200
      f5: standard
    • Storage target 2:
      __time__ : 1591754815
      f1: GET
      f2: https
      f5: standard
If you use the following transformation rule, the log entry is sent to storage target 1 as expected. However, the f1 and f2 fields are dropped when the raw log entry is sent to storage target 2.
e_drop_fields("f1", "f2", regex=False)
e_coutput("target1")
e_drop_fields("f3", "f4", regex=False)
e_output("target2")