conditionals
Subcommands
| Subcommand | Description | Syntax |
|---|---|---|
if | Evaluates a match expression and returns one of two values based on the result | if(<condition>, <expr>, <expr>) |
Examples
Basic if usage
Take the following search which returns ssh logins from multiple indices:
| select systemd(accepted ssh) syslog(accepted sshd)
The systemd index use capitals for field names while the syslog index uses lowercase. We can use eval to create a consistent set of fields across both indices that we can then extract fields from:
| select systemd(accepted ssh) syslog(accepted sshd)
| eval message=if(MESSAGE=*, MESSAGE, message)
| extract message=/^\w+\s(?<auth_method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/