Log Service provides the domain-specific language (DSL) to construct global processing functions that can be used as steps in a data transformation rule.

The following table describes the global processing functions.
Type Function Description
Flow control functions e_if Performs an operation if a condition is met. Multiple condition-operation pairs can be specified.
e_if_else Performs an operation based on the evaluation result of a condition.
e_switch Performs an operation if a condition is met and returns a result.
e_compose Combines multiple operations.
Event processing functions e_drop Deletes an event if a condition is met.
e_keep Retains an event if a condition is met.
e_split Splits the value of a specified field into multiple events.
e_output Writes an event to a specified destination Logstore. The event is deleted after it is written to the destination Logstore.
e_coutput Writes an event to a specified destination Logstore. The event is retained after it is written to the destination Logstore.
e_to_metric Converts log data to time series data that can be stored in a Metricstore.
Field processing functions v Extracts the value of a field.
e_set Adds a field or specifies a new value for an existing field.
e_drop_fields Deletes the fields that meet a specified condition.
e_keep_fields Retains the fields that meet a specified condition.
e_pack_fields Encapsulates specified log fields, and then assigns the log fields as a value to a new field.
e_rename Renames the fields that meet a specified condition.
Value extraction functions e_regex Extracts the value of a field by using a regular expression.
e_json Expands or extracts JSON objects.
e_kv Extracts key-value pairs.
e_kv_delimit Extracts key-value pairs by using delimiters.
e_csv Extracts values by using a delimiter. The default delimiter is a comma (,).
e_tsv Extracts values by using a delimiter. The default delimiter is a tab (\t).
e_psv Extracts values by using a delimiter. The default delimiter is a vertical bar (|).
e_syslogrfc Extracts field values based on the syslog protocol.
e_anchor Extracts the value between the specified start and end positions.
Mapping and enrichment functions e_dict_map Maps an event based on a dictionary.
e_table_map Maps an event based on a table.
e_search_map Maps an event based on a search string.
Value-added content functions e_threat_intelligence Obtains threat intelligence.