This topic describes all global operation functions that are provided by Log Service. The domain-specific language (DSL) for Log Service provides approximately 30 global processing functions. You can use the functions to control the logic of data transformation.

The following table describes the global processing functions.
Category Function Description
Flow control functions e_if Performs an operation if a specified condition is met. You can specify multiple condition-operation pairs.
e_if_else Performs an operation based on the evaluation result of a specified condition.
e_switch Performs an operation if a specified condition is met and returns the result.
e_compose Combines multiple operations and performs the operations in sequence.
Event processing functions e_drop Discards a log if a specified condition is met.
e_keep Retains a log if a specified condition is met.
e_split Splits a log into multiple logs based on the value of a specified field. You can also use JMESPath to extract the value of the field, and then split the log.
e_output Writes a log to a specified Logstore. The subsequent transformation rules are not executed for the log.
e_coutput Writes a log to a specified Logstore. The subsequent transformation rules are still executed for the log.
e_to_metric Converts logs to metrics that can be stored in a Metricstore.
Field processing functions v Extracts the value of a field from a log.
e_set Adds a field or specifies a new value for an existing field.
e_drop_fields Discards the log fields that meet a specified condition.
e_keep_fields Retains the log fields that meet a specified condition.
e_pack_fields Packs log fields and assigns the log fields as a value to a new field.
e_rename Renames the log fields that meet a specified condition.
Value extraction functions e_regex Extracts the value of a field by using a regular expression and assigns the value to other fields.
e_json Performs operations on JSON objects in a specified field. You can configure the parameters to expand JSON data, extract JSON data by using JMESPath, or expand the extracted JSON data.
e_kv Extracts key-value pairs from multiple input fields by using a specified quote.
e_kv_delimit Extracts key-value pairs from input fields by using a specified delimiter.
e_csv Extracts multiple fields by using a delimiter. The default delimiter is a comma (,).
e_tsv Extracts multiple fields by using a delimiter. The default delimiter is a tab (\t).
e_psv Extracts multiple fields by using a delimiter. The default delimiter is a vertical bar (|).
e_syslogrfc Calculates the values of the facility and severity fields and returns level information, which is indicated by the facilitylabel field. The function calculates the values based on the value of the priority field and the specified syslog protocol.
e_anchor Extracts strings by using the rules specified by anchor_rules.
Mapping and enrichment functions e_dict_map Maps the value of an input field to a value in a specified dictionary and returns a new field.
e_table_map Maps the value of an input field to a row in a specified table and returns a new field.
e_search_dic_map Maps data based on a specified dictionary and returns a new field. The dictionary consists of keys that are query strings and the values for the keys.
e_search_table_map Maps data based on a specified table and returns a new field. The table contains a column whose values are query strings and the rows of the column.
Value-added content functions e_threat_intelligence Obtains threat intelligence for an IP address or domain name that is specified by a log field and assigns the threat intelligence as a value to a specified field.