conditionals

if

The if subcommand has the follow syntax:

if(<match expression>, <eval expression if true>, <eval expression if false>)

<match expression> is an expression in the same format as that of the match command, and <eval expression if true> and <eval expression if false> are expressions to be evaluated if the match expression evaluates to true or false respectively.

Example

Take the following search which returns ssh logins from multiple indices:

| select systemd(accepted ssh) syslog(accepted sshd)

The systemd index use capitals for field names while the syslog index uses lowercase. We can use eval to create a consistent set of fields across both indices that we can then extract fields from:

| select systemd(accepted ssh) syslog(accepted sshd)
| eval message=if(MESSAGE=*, MESSAGE, message)
| extract message=/^\w+\s(?<auth_method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/