conditionals
Subcommands
| Subcommand | Description | Syntax |
|---|---|---|
if | Evaluates a match expression and returns one of two values based on the result | if(<condition>, <expr>, <expr>) |
case | Evaluates match expressions in order and returns the expression for the first match, or the trailing default expression | case(<condition>, <expr>, ..., <default expr>) |
Examples
Basic if usage
Take the following search which returns ssh logins from multiple indices:
| select systemd(accepted ssh) syslog(accepted sshd)
The systemd index use capitals for field names while the syslog index uses lowercase. We can use eval to create a consistent set of fields across both indices that we can then extract fields from:
| select systemd(accepted ssh) syslog(accepted sshd)
| eval message=if(MESSAGE=*, MESSAGE, message)
| extract message=/^\w+\s(?<auth_method>\w+)\s\w+\s(?<user>\w+)\s\w+\s(?<remote>[^\s]+)/
Case usage
Use case to express multiple ordered conditions without manually nesting if expressions. Each condition must have a corresponding expression, followed by a final default expression:
| eval severity=case(status="critical", "high", status="warning", "medium", "low")