This topic describes the syntax and parameters of flow control functions. This topic also provides examples on how to use the functions.

Functions

Function Description
e_compose Combines multiple operations.
  • This function is used to combine multiple operations in the e_if, e_switch, or e_if_else function.
  • The specified operations are performed on a log entry in sequence and a result is returned.
  • If one of the specified operations is performed to delete the log entry, the remaining operations are not performed.
e_if Performs an operation if a condition is met. Multiple condition-operation pairs can be specified.
  • If a condition is met, the operation that corresponds to the condition is performed. If the condition is not met, the operation is not performed and the next condition is evaluated.
  • If one of the specified operations is performed to delete a log entry, the remaining operations are not performed on the log entry.
e_if_else Performs an operation based on the evaluation result of a condition.
e_switch Performs an operation if a condition is met. Multiple condition-operation pairs can be specified.
  • If a condition is met, the operation that corresponds to the condition is performed and a result is returned. If the condition is not met, the operation is not performed and the next condition is evaluated.
  • If no specified conditions are met and the default parameter is specified, the default operations that are specified in the default parameter are performed and a result is returned.
  • If one of the specified operations is performed to delete a log entry, the remaining operations are not performed on the log entry.

e_compose

  • Syntax 
    e_compose(Operation 1, Operation 2, ...)
  • Parameters
    Parameter Type Required Description
    Operation 1 Global processing function Yes One or more global processing functions.
    Operation 2 Global processing function No One or more global processing functions.
  • Response

    A log entry on which the specified operations are performed is returned.

  • Example

    If the value of the content field is 123, the age and name fields are deleted and the content field is set to ctx.

    Raw log entry:
    content: 123
age: 23
name: twiss
    Transformation rule: 
    e_if(e_search("content==123"), e_compose(e_drop_fields("age|name"), e_rename("content", "ctx")))
    Result:
    ctx: 123

e_if

  • Syntax 
    e_if(Condition, Operation)
e_if(Condition 1, Operation 1, Condition 2, Operation 2, ...)
    Note The Condition and Operation parameters must be specified in pairs.
  • Parameters
    Parameter Type Required Description
    Condition Arbitrary Yes One or more expressions. If the result is not a Boolean value, the system evaluates whether the condition is true or false.
    Operation Global processing function No One or more global processing functions.
  • Response

    A log entry on which the specified operations are performed is returned.

  • Examples
    • Example 1: If the value of a specified field meets a condition, the operation that corresponds to the condition is performed.
      If the value of the result field is failed or failure, the __topic__ field is set to login_failed_event. 
      e_if(e_match("result", r"failed|failure"), e_set("__topic__", "login_failed_event"))
    • Example 2: If the value of a specified field meets a condition, the value is extracted and the operation that corresponds to the condition is performed.
      If the request_body field exists and the value of the field is not null, the field processing function "e_json" is used to separate the value of the request_body field into multiple values. 
      e_if(v("request_body"), e_json("request_body"))
    • Example 3: If the value of a specified field meets a combined condition, the operation that corresponds to the condition is performed.
      If the value of the valid field is failed, the log entry is dropped. 
      e_if(op_eq(str_lower(v("valid")), "failed"), DROP)
    • Example 4: Multiple operations are performed in sequence based on the specified conditions. 
      e_if(True, e_set("__topic__", "default_login"), 
     e_match("valid", "failed"), e_set("__topic__", "login_failed_event")
  )

e_if_else

  • Syntax 
    e_if_else(Condition, Operation 1 if Condition is evaluated to true, Operation 2 if Condition is evaluated to false)
  • Parameters
    Parameter Type Required Description
    Condition Arbitrary Yes One or more expressions. If the result is not a Boolean value, the system evaluates whether the condition is true or false.
    Operation 1 if Condition is evaluated to true Global processing function Yes One or more global processing functions.
    Operation 2 if Condition is evaluated to false Global processing function Yes One or more global processing functions.
  • Response

    A log entry on which an operation is performed based on the evaluation result of a condition is returned.

  • Example

    If the value of the result field is ok or pass, or the value of the status field is 200, the log entry is retained.

    Raw log entries: 
    result: Ok
status: 400
    result: Pass
status: 200
    result: failure
status: 500
    Transformation rule: 
    e_if_else(op_or(e_match("result", r"(?i)ok|pass"), e_search("status== 200")), KEEP, DROP)
    Result: Only the first two log entries are retained. The third log entry is deleted. 
    result: Ok
status: 400
    result: Pass
status: 200

e_switch

  • Syntax 
    e_switch(Condition 1, Operation 1, ..., default=None)
    Note The Condition and Operation parameters must be specified in pairs.
  • Parameters
    Parameter Type Required Description
    Condition Arbitrary Yes One or more expressions. If the result is not a Boolean value, the system evaluates whether the condition is true or false.
    Operation Global processing function Yes One or more global processing functions.
    default Global processing function No One or more default global processing functions. If no specified conditions are met and the default parameter is specified, the default operations that are specified in the default parameter are performed.
  • Response

    A log entry on which the specified operations are performed is returned.

  • Example
    • If the value of the content field is 123, the __topic__ field is set to Number. If the value of the data field is 123, the __topic__ field is set to PRO.
      Raw log entries: 
      __topic__:  
age: 18
content: 123
name: maki
data: 342
      __topic__:  
age: 18
content: 23
name: maki
data: 123
      Transformation rule: 
      e_switch(e_search("content==123"), e_set("__topic__", "Number", mode="overwrite"), e_search("data==123"), e_set("__topic__", "PRO", mode="overwrite"))
      Result: 
      __topic__: Number
age: 18
content: 123
name: maki
data: 342
      __topic__: PRO
age: 18
content: 23
name: maki
data: 123
    • You can use the e_switch and e_output functions to deliver log entries that meet specified conditions to different Logstores. The default=e_drop() expression indicates that log entries that do not meet specified conditions are deleted, and no other operations are performed on these log entries. If you do not set the default parameter, log entries that meet the specified conditions are delivered to the first Logstore that you specify.
      Raw log entries:
      __topic__: sas-log-dns
test: aliyun

__topic__: aegis-log-network
test:ecs

__topic__: local-dns
test:sls

__topic__: aegis-log-login
test: sls
      Transformation rule:
      e_switch(e_match("__topic__","sas-log-dns"),e_output(name="target1"),
e_match("__topic__","sas-log-process"),e_output(name="target2"),
e_match("__topic__","local-dns"),e_output(name="target3"),
e_match("__topic__","aegis-log-network"),e_output(name="target4"),
e_match("__topic__","aegis-log-login"),e_output(name="target5"),
default=e_drop())