Updated on 2025-09-07 GMT+08:00

Process Control Functions

This section describes process control functions, including their syntax, parameters, and usage examples.

Function List

Function

Description

e_compose

Combines a series of operations.

  • This function is often used with the e_if, e_switch, or e_if_else function to combine operations.
  • It calls operations one by one, transfers and converts logs, and returns the final log.
  • If an operation deletes a log, subsequent operations are not performed.

This function can be used together with other functions.

e_if

Combines conditions and operations.

  • If a condition is met, the corresponding operation is performed. If a condition is not met, the flow proceeds to the next condition.
  • If an operation deletes a log, subsequent operations are not performed.
e_if(
e_has("a"), e_output("target-a"),
e_has("b"), e_output("target-b"),
)

For example, the processing rule is equivalent to the following Python code structure:

if e_has("a"):
e_output("target-a")
if e_has("b"):
e_output("target-b")

This function can be used together with other functions.

e_if_else

Performs operations based on the condition judgment result.

e_if_else(e_has("a"), e_output("target-a"), e_output("target-b"))

For example, the processing rule is equivalent to the following Python code structure:

if e_has("a"):
e_output("target-a")
else:
e_output("target-b")

e_switch

Combines conditions and operations.

  • If a condition is met, the corresponding operation is performed and the result is returned. If a condition is not met, the flow proceeds to the next condition.
  • If no condition is met but default parameters are configured, the operation of the default configuration is performed and the result is returned.
  • If an operation deletes a log, subsequent operations are not performed.
e_switch(
e_has("a"), e_output("target-a"),
e_has("b"), e_output("target-b"),
default=e_output("target-default"),
)

For example, the processing rule is equivalent to the following Python code structure:

if e_has("a"):
e_output("target-a")
elif e_has("b"):
e_output("target-b")
else:
e_output("target-default")

This function can be used together with other functions.

e_compose

Merges multiple operations.

  • Function format

    e_compose(operation 1, operation 2, ...)

  • Parameter description

    Parameter

    Type

    Mandatory

    Description

    Operation 1

    Global operation function

    Yes

    Global operation function or combination of global operation functions.

    Operation 2

    Global operation function

    No

    Global operation function or combination of global operation functions.

  • Returned result

    Logs after the operation.

  • Function example

    If the value of the content field is 123, delete the age and name fields, and then set the value of the content field to ctx.

    • Test data
      {
       "content": 123,
       "age": 23,
       "name": "twiss"
      }
    • Processing rule
      e_if(
          e_search("content==123"),
          e_compose(e_drop_fields("age|name"),
       e_rename("content", "ctx")),
      )
    • Processing result
      ctx: 123
  • More

    This function can be used together with other functions.

e_if

This function performs operations based on judgment conditions.

  • Function format
    e_if(Condition, Operation)
    e_if(Condition1, Operation1, Condition2, Operation2, ...)

    The conditions and operations in the function must appear in pairs.

  • Parameter description

    Parameter

    Type

    Mandatory

    Description

    Condition

    Any

    Yes

    Expression or combination of expressions. If the result is not a Boolean value, the system determines whether the result is true or false.

    Operation

    Global operation function

    No

    Global operation function or combination of global operation functions.

  • Returned result

    Processed logs.

  • Function example
    1. Example 1: Perform operations after field value matching.

      If the value of result is failed or failure, set the value of __topic__ to login_failed_event.

      • Test data
        {
         "result": "failed"
        }
      • Processing rule
        e_if(e_match("result", r"failed|failure"), e_set("__topic__", "login_failed_event"))
      • Processing result
        result: failed
        __topic__: login_failed_event
    2. Example 2: Extract data based on the field value.

      If the request_body field exists and is not empty, call the field operation function json to expand the request_body field into multiple values.

      • Test data
        {
         "request_body": {\"k1": 100, \"k2\": 200}
        }
      • Processing rule
        e_if(v("request_body"), e_json("request_body"))
      • Processing result
        request_body: {"k1": 100, "k2": 200}
        k1: 100
        k2: 200
    3. Example 3: Perform operations after advanced judgment.

      If the value of valid is failed (in lowercase), the log is discarded.

      • Test data
        {
         "valid":"failed"
        }
      • Processing rule
        e_if(op_eq(str_lower(v("valid")), "failed"),  e_drop())
      • Processing result: The log is discarded.
    4. Example 4: Perform operations based on the condition sequence.
      • Test data
        {
         "valid":"failed"
        }
      • Processing rule
        e_if(True, e_set("__topic__", "default_login"),   e_match("valid", "failed"), e_set("__topic__", "login_failed_event"))
      • Processing result
        valid: failed
        __topic__:login_failed_event
  • More

    This function can be used together with other functions.

e_if_else

This function performs operations based on the condition judgment result.

  • Function format
    e_if_else (Condition, Operation when the condition is true, Operation when the condition is false)
  • Parameter description

    Parameter

    Type

    Mandatory

    Description

    Condition

    Any

    Yes

    Expression or combination of expressions. If the result is not a Boolean value, the system determines whether the result is true or false.

    Operation when the condition is true

    Global operation function

    Yes

    Global operation function or combination of global operation functions.

    Operation when the condition is false

    Global operation function

    Yes

    Global operation function or combination of global operation functions.

  • Returned result

    Operation result corresponding to different conditions.

  • Function example

    If the value of the result field is ok or pass, or the value of the status field is 200, the log is retained.

    • Test data
      {
      "result":"ok",
      "status": 400
      }
      {
      "result": "Pass",
      "status": 200
      }
      {
      "result": "failure",
      "status": 500
      }
    • Processing rule
      e_if_else(
          op_or(e_match("result", r"(?i)ok|pass"), e_search("status== 200")), e_keep(),e_drop() 
      )
    • Processing result
      result: ok 
      status: 400
      result: Pass 
      status: 200

e_switch

This function merges multiple conditions and operations.

  • Function format
    e_switch(Condition 1, Operation 1, ..., default=None)

    Note: Conditions and operations must appear in pairs in the function.

  • Parameter description

    Parameter

    Type

    Mandatory

    Description

    Condition

    Any

    Yes

    Expression or combination of expressions. If the result is not a Boolean value, the system determines whether the result is true or false.

    Operation

    Global operation function

    Yes

    Global operation function or combination of global operation functions.

    default

    Global operation function

    No

    Default global operation function or combination of global operation functions. This operation is performed when no condition is met.

  • Returned result

    Processed logs.

  • Function example
    1. If the value of the content field is 123, set the value of __topic__ to Number. If the value of the data field is 123, set the value of __topic__ to PRO.
      • Test data
        {
        "__topic__": ,  
        "age": 18,
        "content": 123,
        "name":"maki", 
        "data": 342
        }
        {
        "__topic__": ,  
        "age": 18,
        "content": 23,
        "name": "maki" ,
        "data": 123
        }
      • Processing rule
        e_switch(
            e_search("content==123"),
            e_set("__topic__", "Number", mode="overwrite"),
            e_search("data==123"),
            e_set("__topic__", "PRO", mode="overwrite"),
        )
      • Processing result
        __topic__: Number 
        age: 18
        content: 123
        name: maki 
        data: 342
        __topic__: PRO 
        age: 18
        content: 23
        name: maki 
        data: 123
    2. This function merges the e_switch and e_output syntax to deliver logs that meet the rules to different log streams. default=e_drop() indicates that logs that do not meet the rules are discarded. If the default parameter is not specified, all logs that do not meet the rules are delivered to the first configured log stream.

      The output processing result will not be displayed in the processing result box.

      • Test data
        {
        "__topic__": "sas-log-dns" ,
        "test": "aa" , 
        "__topic__": "aegis-log-network",
        "test":"ecs" ,
        "__topic__": "local-dns" ,
        "test":"sls" , 
        "__topic__": "aegis-log-login" ,
        "test": "sls"
        }
      • Processing rule
        e_switch(e_match("__topic__","sas-log-dns"),
        e_output(name="target1"),
        e_match("__topic__","sas-log-process"),
        e_output(name="target2"),
        e_match("__topic__","local-dns"),
        e_output(name="target3"),
        e_match("__topic__","aegis-log-network"),
        e_output(name="target4"),
        e_match("__topic__","aegis-log-login"),
        e_output(name="target5"),
        default=e_drop())
  • More

    This function can be used together with other functions.