switch
The switch command is used to route events to different subsearches based on conditions
Syntax
The syntax for the switch command is as follows:
A list of switch cases with the following structure:
- A condition in the same format as those used in
matchandfiltercommands. - A subsearch to execute if the condition is true.
There may also be a default case that is executed if none of the conditions are met. The default case is specified with a single [] block with no condition before it.
| switch
<field1> <op> <condition1> [
<subsearch1>
]
<field2> <op> <condition2> [
<subsearch2>
]
[
<subsearch_default>
]
Execution
The switch command evaluates each condition in the order they are specified. If a condition is met by an event, it will be routed to the corresponding subsearch and no further conditions will be evaluated for that event.
If none of the conditions match, the event will be passed to the next command in the pipeline without modification.
Example
Run different regex extractions based on the index an event came from:
| switch
_index="syslog" [
| extract message = /^\w+\s(?<user>\w+)/
]
_index="systemd" [
| extract MESSAGE = /^\w+\s(?<method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/
]
[
| eval default = "No extraction performed"
]