I have a log stream from where I am extracting a set of fields to be set as either labels or metric values. The stream is not in a standard format so I am extracting the fields with regexp pipeline command, as below.

(...)
 | regexp "(?P<api>\\w+)\\sAPI"
 | regexp "\\[performed\\.(?P<action>\\w+)"
 | regexp "duration\\s\\[(?P<duration_ms>\\d+)"
 | regexp "response \\[(?P<response>.*?)\\]"

The problem is that the api captured field, on some interaction, is not being populated, and I wanted to update those cases so that a default value was set - For presentation purposes.

I've tried using the native LogLQ's contains and hasPrefix template commands as the documentation suggests they can be used with if else blocks. The documentation is not clear on how to build those blocks inside the label_format or the line_format pipeline commands. But depending on the approach it either returns a format error or does not do anything.

An working example would be appreciated. Thank you.

Note: Tried to tag this as a LogQL topic but not enough reputation to do so.

With @AnthonyA's reply I was able to, after extracting a field, modify its value using the label_format template function.

 (..)
 | regexp "response \\[(?P<response>.*?)\\]"
 (..)
 | label_format api=`{{ if hasPrefix "Error" .response }}ERROR{{else}}{{.response}}{{end}}`
 (..)

This way the field's value is replaced by ERROR if it starts with "Error" and keeping its original value otherwise.

I believe I have gotten something working with line_format:

{environment=~"$environment",level=~"$level"} | json | line_format "{{ if hasSuffix `Exception` .thrown_name  }} Exception occurred! {{end}} {{.message}}" |~ "(?i)$grep"

The documentation for back ticks was difficult to find, and the order for method arguments is also a bit different. Hopefully this helps?