Overview of data processing functions

BLS

  • Function Release Records
  • Product Description
    • Usage restrictions
    • Product Introduction
  • Product pricing
  • Quick Start
    • Introduction
    • Install agent
    • Create LogStore
    • Create Transmission Task
    • Log Analysis and Alerting
    • Create Delivery Task
  • Operation guide
    • Baidu Intelligent Cloud Environment Preparation
    • Overview
    • Identity and access management
    • Logset Management
    • Agent
      • Install Agent on Host
      • Install Agent in K8s Environment
      • Agent Management
      • Agent Release Version
      • Set Agent Startup Parameters
    • Log Collection
      • Transmission Task Collection
        • Create Transmission Task
        • Manage Transmission Task
      • Uploading Logs Using Kafka Protocol
    • Query analysis
      • Log query
      • SQL Syntax
      • Search Syntax
    • Dashboard
      • Overview
      • Management Dashboard
      • Management Dashboard Charts
    • Alarm management
      • Alert Overview
      • Alarm strategy
        • Management alarm strategy
        • Trigger conditions
      • Alarm history
      • Alert execution statistics
      • Alarm notification
        • Alarm Notification Template
        • Alarm callback
    • Data processing
      • Log Delivery
        • Log Delivery Overview
        • Create Delivery Task
        • Manage Delivery Task
      • Scheduled SQL Analysis
        • Manage Scheduled SQL Analysis Task
        • Create Scheduled SQL Analysis Task
      • Real-Time Consumption
      • Data processing
        • Data processing
          • Overview of data processing functions
          • Process control function
          • Mapping enrichment functions
          • Event operation functions
          • Field operation functions
          • Field value extraction functions
    • Log Applications
      • Intelligent Diagnostics
  • Best Practices
    • Use Year-Over-Year and Month-Over-Month as Alert Trigger Conditions
    • BLS Integration with Kibana
    • Use BLS via Grafana
  • Development Guide
    • API Reference
      • API function release records
      • API Overview
      • Interface Overview
      • General Description
      • Service domain
      • Common error codes
      • Terminology
      • Project Related APIs
        • Create Project
        • Update Project
        • Describe Project
        • Delete Project
        • List Project
      • LogStore Related APIs
        • Create LogStore
        • Update LogStore
        • Delete LogStore
        • Describe LogStore
        • Batch Get LogStore
        • List LogStore
      • LogStream Related APIs
        • List LogStream
      • LogRecord Related APIs
        • Push log PushLogRecord
        • Obtain logrecord PullLogRecord
        • Search analysis log QueryLogRecord
        • Histogram API QueryLogHistogram
      • Fast Query FastQuery Related Interfaces
        • Create Fast Query CreateFastQuery
        • Update Fast Query UpdateFastQuery
        • Delete Fast Query DeleteFastQuery
        • Get Fast Query Details DescribeFastQuery
        • Get Fast Query List ListFastQuery
      • Index Related APIs
        • Create Index
        • Update Index
        • Delete Index
        • Describe Index
      • Log Shipper LogShipper Related Interfaces
        • Create Log Shipper
        • Update Log Shipper
        • Set Single Log Shipper Status
        • Delete Single Log Shipper
        • Bulk Delete Log Shipper
        • List Log Shipper Records
        • List Log Shipper
        • Bulk Set Log Shipper Status
        • Get Log Shipper
      • Alarm-Related Interfaces
        • CreateAlarmPolicy
        • UpdateAlarmPolicy
        • DeleteAlarmPolicy
        • ValidateAlarmCondition
        • ValidateAlarmPolicySQL
        • EnableAlarmPolicy
        • DescribeAlarmRecord
        • DisableAlarmPolicy
        • DescribeAlarmPolicy
        • ListAlarmPolicy
        • ListAlarmRecord
        • ListAlarmExecutionStats
        • ListAlarmExecutions
      • LogStore Template-Related Interfaces
        • CreateLogStoreTemplate
        • UpdateLogStoreTemplate
        • DeleteLogStoreTemplates
        • DescribeLogStoreTemplates
        • DescribeLogStoreTemplate
      • Download Log Download Related Interfaces
        • Create Download Task CreateDownloadTask
        • Get Download Task List ListDownloadTask
        • Delete Download Task DeleteDownloadTask
        • Get Download Task Address GetDownloadTaskLink
        • Get Download Task Details DescribeDownloadTask
      • LogAlarm Related Interfaces
        • SetLogAlarmStatus
        • deleteLogAlarm
        • createLogAlarm
        • listLogAlarm
        • updateLogAlarm
        • BulkDeleteLogAlarm
        • PreviewAlarmLogRecord
        • getLogAlarm
        • BulkSetLogAlarmStatus
      • Transmission Task Related Interfaces
        • Create Task CreateTask
        • UpdateTask
      • Interfaces Compatible with Elasticsearch
        • ResolveIndex
        • FieldCaps
        • TermsEnum
        • AsyncSearch
    • SDK Reference
      • Go SDK
        • Overview
        • Initialization
        • Version Release Records
        • Project Operations
        • LogStore Operations
        • Install the SDK Package
        • LogStream Operations
        • LogRecord Operations
        • FastQuery Operations
        • LogShipper Operations
        • Index Operations
        • Download Task Operations
      • Java SDK
        • Overview
        • Install the SDK Package
        • LogRecord Operations
      • iOS SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android & iOS SDK Download
      • SDK Privacy Policy
      • SDK Developer Personal Information Protection Compliance Guide
    • Importing SLS Collection Configuration
  • FAQs
    • Common Questions Overview
    • Fault-related questions
    • Configuration-related questions
  • Log Service Level Agreement SLA
All documents
menu
No results found, please re-enter

BLS

  • Function Release Records
  • Product Description
    • Usage restrictions
    • Product Introduction
  • Product pricing
  • Quick Start
    • Introduction
    • Install agent
    • Create LogStore
    • Create Transmission Task
    • Log Analysis and Alerting
    • Create Delivery Task
  • Operation guide
    • Baidu Intelligent Cloud Environment Preparation
    • Overview
    • Identity and access management
    • Logset Management
    • Agent
      • Install Agent on Host
      • Install Agent in K8s Environment
      • Agent Management
      • Agent Release Version
      • Set Agent Startup Parameters
    • Log Collection
      • Transmission Task Collection
        • Create Transmission Task
        • Manage Transmission Task
      • Uploading Logs Using Kafka Protocol
    • Query analysis
      • Log query
      • SQL Syntax
      • Search Syntax
    • Dashboard
      • Overview
      • Management Dashboard
      • Management Dashboard Charts
    • Alarm management
      • Alert Overview
      • Alarm strategy
        • Management alarm strategy
        • Trigger conditions
      • Alarm history
      • Alert execution statistics
      • Alarm notification
        • Alarm Notification Template
        • Alarm callback
    • Data processing
      • Log Delivery
        • Log Delivery Overview
        • Create Delivery Task
        • Manage Delivery Task
      • Scheduled SQL Analysis
        • Manage Scheduled SQL Analysis Task
        • Create Scheduled SQL Analysis Task
      • Real-Time Consumption
      • Data processing
        • Data processing
          • Overview of data processing functions
          • Process control function
          • Mapping enrichment functions
          • Event operation functions
          • Field operation functions
          • Field value extraction functions
    • Log Applications
      • Intelligent Diagnostics
  • Best Practices
    • Use Year-Over-Year and Month-Over-Month as Alert Trigger Conditions
    • BLS Integration with Kibana
    • Use BLS via Grafana
  • Development Guide
    • API Reference
      • API function release records
      • API Overview
      • Interface Overview
      • General Description
      • Service domain
      • Common error codes
      • Terminology
      • Project Related APIs
        • Create Project
        • Update Project
        • Describe Project
        • Delete Project
        • List Project
      • LogStore Related APIs
        • Create LogStore
        • Update LogStore
        • Delete LogStore
        • Describe LogStore
        • Batch Get LogStore
        • List LogStore
      • LogStream Related APIs
        • List LogStream
      • LogRecord Related APIs
        • Push log PushLogRecord
        • Obtain logrecord PullLogRecord
        • Search analysis log QueryLogRecord
        • Histogram API QueryLogHistogram
      • Fast Query FastQuery Related Interfaces
        • Create Fast Query CreateFastQuery
        • Update Fast Query UpdateFastQuery
        • Delete Fast Query DeleteFastQuery
        • Get Fast Query Details DescribeFastQuery
        • Get Fast Query List ListFastQuery
      • Index Related APIs
        • Create Index
        • Update Index
        • Delete Index
        • Describe Index
      • Log Shipper LogShipper Related Interfaces
        • Create Log Shipper
        • Update Log Shipper
        • Set Single Log Shipper Status
        • Delete Single Log Shipper
        • Bulk Delete Log Shipper
        • List Log Shipper Records
        • List Log Shipper
        • Bulk Set Log Shipper Status
        • Get Log Shipper
      • Alarm-Related Interfaces
        • CreateAlarmPolicy
        • UpdateAlarmPolicy
        • DeleteAlarmPolicy
        • ValidateAlarmCondition
        • ValidateAlarmPolicySQL
        • EnableAlarmPolicy
        • DescribeAlarmRecord
        • DisableAlarmPolicy
        • DescribeAlarmPolicy
        • ListAlarmPolicy
        • ListAlarmRecord
        • ListAlarmExecutionStats
        • ListAlarmExecutions
      • LogStore Template-Related Interfaces
        • CreateLogStoreTemplate
        • UpdateLogStoreTemplate
        • DeleteLogStoreTemplates
        • DescribeLogStoreTemplates
        • DescribeLogStoreTemplate
      • Download Log Download Related Interfaces
        • Create Download Task CreateDownloadTask
        • Get Download Task List ListDownloadTask
        • Delete Download Task DeleteDownloadTask
        • Get Download Task Address GetDownloadTaskLink
        • Get Download Task Details DescribeDownloadTask
      • LogAlarm Related Interfaces
        • SetLogAlarmStatus
        • deleteLogAlarm
        • createLogAlarm
        • listLogAlarm
        • updateLogAlarm
        • BulkDeleteLogAlarm
        • PreviewAlarmLogRecord
        • getLogAlarm
        • BulkSetLogAlarmStatus
      • Transmission Task Related Interfaces
        • Create Task CreateTask
        • UpdateTask
      • Interfaces Compatible with Elasticsearch
        • ResolveIndex
        • FieldCaps
        • TermsEnum
        • AsyncSearch
    • SDK Reference
      • Go SDK
        • Overview
        • Initialization
        • Version Release Records
        • Project Operations
        • LogStore Operations
        • Install the SDK Package
        • LogStream Operations
        • LogRecord Operations
        • FastQuery Operations
        • LogShipper Operations
        • Index Operations
        • Download Task Operations
      • Java SDK
        • Overview
        • Install the SDK Package
        • LogRecord Operations
      • iOS SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android & iOS SDK Download
      • SDK Privacy Policy
      • SDK Developer Personal Information Protection Compliance Guide
    • Importing SLS Collection Configuration
  • FAQs
    • Common Questions Overview
    • Fault-related questions
    • Configuration-related questions
  • Log Service Level Agreement SLA
  • Document center
  • arrow
  • BLS
  • arrow
  • Operation guide
  • arrow
  • Data processing
  • arrow
  • Data processing
  • arrow
  • Data processing
  • arrow
  • Overview of data processing functions
Table of contents on this page
  • Description
  • Function overview
  • Field value extraction functions
  • Mapping enrichment functions
  • Process control function class
  • Event operation functions
  • Field operation functions
  • Description of field extraction modes

Overview of data processing functions

Updated at:2025-11-03

Description

Data processing functions can be freely combined to complete scenarios such as log cleaning, structuring, filtering, distribution, and desensitization.

Function overview

Field value extraction functions

Extract fields/field values from log text.

Function name Function description Function syntax description Return value type
e_regex Extract field values based on regular expressions e_regex("source field name", regex="regular expression", fields_info="mapping list of fields and types", mode="overwrite") Return the extracted log (LOG)
e_json Extract field values in JSON string format ext_json("source field name", depth=100, prefix="", suffix="", format="simple", sep="", mode="overwrite") Return the extracted log (LOG)
e_sep Extract field value content based on separators e_sep("source field name", "mapping list of fields and types", sep="", quote="parts not involved in splitting", restrict=False, mode="overwrite") Return the extracted log (LOG)
e_csv Extract field value content based on separators, with the default separator being a half-width comma e_csv("source field name", "mapping list of fields and types", sep=",", quote="parts not involved in splitting", restrict=False, mode="overwrite") Return the extracted log (LOG)
e_psv Extract field value content based on separators, with the default separator being a vertical bar e_psv("source field name", "mapping list of fields and types", sep=" ", quote="parts not involved in splitting", restrict=False, mode="overwrite")
e_tsv Extract field value content based on separators, with the default separator being a tab character e_tsv("source field name", "mapping list of fields and types", sep="\t", quote="parts not involved in splitting", restrict=False, mode="overwrite") Return the extracted log (LOG)
e_kv Extract field values based on two-level separators e_kv("source field name", "regular expression", "key position", "value position", fields_info="mapping list of fields and types", mode="overwrite") Return the extracted log (LOG)

Mapping enrichment functions

Add new fields according to rules based on existing fields.

Function name Function description Function syntax description Return value type
e_dict_map Use the Dict structure to match field values in logs. When the value of the specified field is the same as the Key in the Dict, assign the Value corresponding to this Key to another field in the log. e_dict_map("JSON dictionary", "source field name", "target field", caseInsensitive=true, missing="", mode="overwrite") Return the extracted log (LOG)

Process control function class

Used for conditional judgment.

Function name Function description Function syntax description Return value type
e_compose A composite operation function, similar to the ability to combine branch code blocks. It can combine multiple operation functions and execute them in sequence, and can be used with branch and output functions e_compose("function1", "function2", ...) Return the extracted log (LOG)
e_if Process logs that meet the condition using the corresponding function; no processing is performed on logs that do not meet the condition e_if("condition", function) Return the extracted log (LOG)
e_if_else Perform different function processing based on conditional judgment e_if_else("condition", function1, function2) Return the extracted log (LOG)
e_switch Perform different function processing based on multi-branch conditions; if there is data that does not meet all conditions, it will be discarded t_switch("condition1", function1, "condition2", function2, ...) Return the extracted log (LOG)

Event operation functions

Used for log distribution, discarding, and splitting

Function name Function description Function syntax description Return value type
e_drop Discard logs that meet the conditions e_drop(condition="condition") Return the extracted log (LOG)
e_keep Retain logs that meet the conditions e_keep(condition="condition") Return the extracted log (LOG)

Field operation functions

Used for adding, deleting, modifying, querying, and renaming fields.

Function name Function description Function syntax description Return value type
v Get the field value and return the corresponding string v(field name) Return the value of the field
e_set Used to set field values or add new fields e_set(field name 1, field value 1, field name 2, field value 2, ..., mode="overwrite") Return the extracted log (LOG)
e_drop_fields Match by field name and delete the matched fields fields_drop(field name 1, field name 2, ...) Return the extracted log (LOG)
e_rename Rename fields e_rename(field name 1, new field name 1, field name 2, new field name 2, ...) Return the extracted log (LOG)

Description of field extraction modes

The following table describes the different values and explanations of the mode parameter for field extraction modes. Original log: { "a": "", "b": 100 }

Parameter value Description Processing statements Processing results
fill Set the target field when the target field does not exist or its value is empty. e_set("a", "123",mode="fill") {"a":"123","b":"100"}
fill-auto Set the target field when the new value is not empty and the target field does not exist or its value is empty. e_set("a", "123",mode="fill-auto") {"a":"123","b":"100"}
add Set the target field when the target field does not exist. e_set("c", 200,mode="add") {"a":"","b":"100","c":"200"}
add-auto Set the target field when the new value is not empty and the target field does not exist. e_set("c", "",mode="add-auto") {"a":"","b":"100"}
overwrite Always set the target field. e_set("a", "123",mode="overwrite") {"a":"123","b":"100"}
overwrite-auto Set the target field when the new value is not empty. e_set("b", "123",mode="overwrite-auto") {"a":"","b":"123"}

Previous
Real-Time Consumption
Next
Process control function