# 常见处理器使用案例
<a name="processor-examples"></a>

以下是用于组合处理器的常见场景和示例配置：

**Example 标准化日志格式并添加元数据**  
解析 JSON 日志、标准化字段名称并添加环境信息：  

```
processor:
  - parse_json: {}
  - rename_keys:
      entries:
        - from_key: "timestamp"
          to_key: "@timestamp"
        - from_key: "log_level"
          to_key: "level"
  - add_entries:
      entries:
        - key: "environment"
          value: "production"
        - key: "application"
          value: "payment-service"
```

**Example 清理字段值并进行标准化处理**  
对状态代码进行标准化处理并移除敏感数据：  

```
processor:
  - uppercase_string:
      with_keys: ["status", "method"]
  - delete_entries:
      with_keys: ["credit_card", "password"]
  - substitute_string:
      entries:
        - source: "status"
          from: "SUCCESS"
          to: "OK"
```

**Example 提取并转换特定字段**  
提取用户信息和格式以进行分析：  

```
processor:
  - extract_value:
      entries:
        - source: "user_agent"
          target: "browser"
          from: "(?<browser>Chrome|Firefox|Safari)"
          to: "${browser}"
  - lowercase_string:
      with_keys: ["browser"]
  - move_keys:
      entries:
        - from_key: "browser"
          to_key: "user_data.browser"
```

**Example 使用条目级条件进行条件处理**  
使用条目级 `when` 条件，根据日志严重性添加不同的元数据：  

```
processor:
  - add_entries:
      entries:
        - key: "alert_level"
          value: "critical"
          when: "log.level == 'ERROR'"
        - key: "alert_level"
          value: "info"
          when_else: "log.level == 'ERROR'"
```

**Example 删除不需要的日志条目**  
筛选掉来自第三方来源的调试和跟踪日志条目，以降低噪音和存储成本：  

```
processor:
  - drop_events:
      when: "log.level in {'DEBUG', 'TRACE'}"
      handle_expression_failure: "skip"
```

**Example 带有 delete\$1entris 的处理器级条件**  
仅在环境为生产环境时才删除敏感字段：  

```
processor:
  - delete_entries:
      with_keys: ["password", "api_key", "ssn"]
      when: "environment in {'prod', 'staging'}"
```