Event Check Functions
This section describes event check functions, including their syntax, parameters, and usage examples.
Function List
|
Type |
Function |
Description |
|
Basic methods |
Checks whether a specified log field exists. |
|
|
Checks whether a specified log field does not exist. This function can be used together with other functions. |
||
|
Expression functions |
Provides a simplified event search mode similar to the Lucene syntax. This function can be used together with other functions. |
|
|
Checks whether the values of the current log fields meet a specified regular expression condition. This function can be used together with other functions. |
||
|
Checks whether the values of the current log fields meet a specified regular expression condition. If any field meets the condition, true is returned. Otherwise, false is returned. |
||
|
Checks whether the values of the current log fields meet a specified regular expression condition. If all field meets the condition, true is returned. Otherwise, false is returned. |
The event check functions can be used together with the following expression functions:
|
Type |
Function |
Description |
|
Basic judgment |
Performs the logical AND operation. |
|
|
Performs the logical OR operation. |
||
|
Performs the logical NOT operation. |
||
|
Determines the values of two expressions. |
||
|
Returns the first expression value that is not None. |
||
|
Returns the first expression value that is not None. |
e_has
This function checks whether a specified field exists.
- Function format
e_has("key") - Parameter description
Parameter
Type
Mandatory
Description
key
String
Yes
Log field name.
- Returned result
If the field exists, true is returned. If the field does not exist, false is returned.
- Function example
Check whether the content field exists in the following log. If it exists, the log is retained. If it does not exist, the log is discarded.
- Test data
{ "content": 123 } - Processing rule
e_keep(e_has("content")) - Processing result
content: 123
- Test data
e_not_has
This function checks whether a specified field does not exist.
- Function format
e_not_has("key") - Parameter description
Parameter
Type
Mandatory
Description
key
String
Yes
Field name.
- Returned result
If the field does not exist, true is returned. If the field exists, false is returned.
- Function example
Check whether the content field exists in the following log. If it does not exist, the log is retained. If it exists, the log is discarded.
- More
This function can be used together with other functions.
e_search
This function provides a simplified event search mode similar to the Lucene syntax. This feature is currently in closed beta testing. The e_search function is only designed to process a small amount of log traffic. Use it with caution.
- Function format
e_search(querystring)
- Parameter description
Parameter
Type
Mandatory
Description
querystring
String
Yes
Query string, which is used to quickly filter logs.
- Returned result
If the condition is met, true is returned. Otherwise, false is returned.
- Function reference example
# Full text e_search("active error")# Full text: searches for logs containing either the substring active or error. The default relationship between them is OR. e_search('"active error"') # Full text: searches for active error as a substring. # Field: string e_search("status: active") # Searches for a word. e_search('author: "john smith"') # Searches for a substring with spaces. e_search('field: active error') # Equivalent to field:active OR "error". # Exact match e_search('author== "john smith"') # Wildcard search. The asterisk (*) matches zero or more characters, and the question mark (?) matches one character. e_search("status: active*test") # active*test contains only asterisks (*). It does not need to be enclosed in double quotation marks (""). e_search("status: active?good") # active?good contains only question marks (?). It does not need to be enclosed in double quotation marks (""). e_search("status== ac*tive?good") # Exact match. # Escape the searches value. The asterisk (*) or question mark (?) must be escaped using a backslash (\). e_search('status: "\*\?()[]:="') # \*\?()[]:= contains special characters. Use double quotation marks ("") to enclose the special characters. Only the asterisk (*), question mark (?), and backslash (\) need to be escaped. e_search("status: active\*test") # active\*test contains only asterisks (*). You do not need to enclose the asterisks in double quotation marks (""). e_search("status: active\?test") # active\?test contains only question marks (?), you do not need to enclose the question marks in double quotation marks (""). # Field name escape e_search("\*\(1+1\)\?: abc") # The field name cannot be enclosed in double quotation marks (""). Special characters are escaped using backslashes (\). e_search("__tag__\:__container_name__: abc") # Use backslashes (\) for escaping. e_search("Chinese field: abc") # Write Chinese characters directly. # Regular expression matching e_search('content~="Regular expression"') # Regular expression matching. # Number e_search('count: [100, 200]') # >=100 and <=200 e_search('count: [*, 200]') # <=200 e_search('count: [200, *]') # >=200 e_search('age >= 18') # >= 18 e_search('age > 18') # > 18 # Use relational operators. e_search("abc OR xyz") # Relational operators are case insensitive. OR and or are the same. e_search("abc and (xyz or zzz)") e_search("abc and not (xyz and not zzz)") e_search("abc && xyz") # and e_search("abc || xyz") # or e_search("abc || !xyz") # or not - Function example
- Test data
{ "desc": "john smith is a player" } - Processing rule
e_if(e_search('desc: "john smith"'), e_set("found", "Yes")) - Processing result
{ "found": "Yes", "desc": "john smith is a player" }
- Test data
- More
This function can be used together with other functions.
e_match
This function checks whether the values of the current log fields meet a specified regular expression condition.
- Function format
e_match(key, regular_expression, full=true)
The e_match function is usually used together with the op_not, op_and, or op_or functions.
- Parameter description
Parameter
Type
Mandatory
Description
key
String
Yes
Field name. If the specified field does not exist, the current sub-condition will not be met. For example, if the f1 field does not exist, the result of e_match("f1",...) is false.
regular_expression
String
Yes
Regular expression. If pure string matching (non-regular expression) is required, you can use the str_regex_escape function to modify the regular expression.
full
Bool
No
Whether the match is exact. The default value is true, indicating exact match.
- Returned result
Judgment result of field matching: true or false.
- Function example
Check whether the value of the field k1 is a digit.
- Test data
{ "k1": 123 } - Processing rule
e_set("e_match", e_match("k1",r'\d+')) - Processing result
k1: 123 match: true
- Test data
- More
This function can be used together with other functions.
e_match_any
This function checks whether the values of the current log fields meet a specified regular expression condition. If any field meets the condition, true is returned. Otherwise, false is returned.
- Function format
e_match_any(key1, regular_expression1, key2, regular_expression2, ..., full=true)
- The key and regular_expression parameters must appear in pairs in the function.
- The e_match_any function is usually used together with the op_not, op_and, or op_or function.
- Parameter description
Parameter
Type
Mandatory
Description
key
String
Yes
Field name. If the specified field does not exist, the current sub-condition will not be met. For example, if the f1 field does not exist, the result of e_match_any("f1", ...) is false.
regular_expression
String
Yes
Regular expression. If pure string matching (non-regular expression) is required, you can use the str_regex_escape function to modify the regular expression.
full
Bool
No
Whether the match is exact. The default value is true, indicating exact match.
- Returned result
Judgment result of field matching: true or false.
- Function example
e_match_any: If any field matches, true is returned.
- Test data
{ "k1": 123, "k2": "abc", "k3": "abc123" } - Processing rule
e_set("match",e_match_any('k1', r'\d+', 'k2', '.+')) - Processing result
k1:123 k2:abc k3:abc123 match:true
- Test data
- More
This function can be used together with other functions.
e_match_all
This function checks whether the values of the current log fields meet a specified regular expression condition. If all field meets the condition, true is returned. Otherwise, false is returned.
- Function format
e_match_all(key1, regular_expression1, key2, regular_expression2, ..., full=true)
- The key and regular_expression parameters must appear in pairs in the function.
- The e_match_all function is usually used together with the op_not, op_and, or op_or function.
- Parameter description
Parameter
Type
Mandatory
Description
Field name
String
Yes
Field name. If the specified field does not exist, the current sub-condition will not be met. For example, if the f1 field does not exist, the result of e_match_all("f1", ...) is false.
Regular expression
String
Yes
Regular expression. If pure string matching (non-regular expression) is required, you can use the str_regex_escape function to modify the regular expression.
full
Bool
No
Whether the match is exact. The default value is true, indicating exact match.
- Returned result
Judgment result of field matching: true or false.
- Function example
- Test data
{ "k1": 123, "k2": "abc", "k3": "abc123" } - Processing rule
e_set("match", e_match_all("k1", r"\d+", "k2", r"\d+")) - Processing result
k1:123 k2:abc k3:abc123 match:false
- More
This function can be used together with other functions.
- Test data
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
