switch
The switch command is used to route events to different subsearches based on conditions
Syntax
The syntax for the switch command is as follows:
A list of switch cases with the following structure:
- A condition in the same format as those used in
matchandfiltercommands. - A subsearch to execute if the condition is true.
| switch
<field1> <op> <condition1> [
<subsearch1>
]
<field2> <op> <condition2> [
<subsearch2>
]
Execution
The switch command evaluates each condition in the order they are specified. If a condition is met by an event, it will be routed to the corresponding subsearch and no further conditions will be evaluated for that event.
If none of the conditions match, the event will be passed to the next command in the pipeline without modification.
Example
Run different regex extractions based on the index an event came from:
| switch
_index="syslog" [
| extract message = /^\w+\s(?<user>\w+)/
]
_index="systemd" [
| extract MESSAGE = /^\w+\s(?<method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/
]