Condition Operations
cidrmatch
Description: Returns true or false depending on whether the value matches the sampling condition.
In the example, ret is assigned the value true.
... | eval ipa="192.168.3.2", ret=cidrmatch("192.0.0.0/8", ipa)
In the example, ret is assigned the value false.
... | eval ipa="10.22.3.2", ret=cidrmatch("192.0.0.0/8", ipa)
coalesce
Description: Returns the first non-null value from the list of variables. The order of checking is according to the specified list of fields in the query.
In the example, res will be the first non-null value of the variables user, message, message2.
... | eval res=coalesce(user,message,message2)
in
Description: Returns true if the field contains the search value(s), or false if no matches are found.
In the example, user has the value "Alexander", and res is assigned the value true.
... | eval res=in(user, "Aleksey", "Ilya", "Alexander")
In the example, user has the value "Alexander", and res is assigned the value false.
... | eval res=in(user, "Aleksey", "Ilya")
like
Description: Returns true if the field matches the pattern, or false if no matches are found.
In the example, user has the value "Alexander", and res is assigned the value true.
... | eval res=like(user, "Ale%")
In the example, user has the value "Alexander", and res is assigned the value false.
... | eval res=like(user, "Alek%")
match
Description: Returns true if the field matches a Java regex, or false if no matches are found.
In the example, testVal has the value "hello world", and res is assigned the value true.
... | eval res=match(testVal, "^([a-zA-Z].*)")
In the example, testVal has the value "hello world", and res is assigned the value false.
... | eval res=match(testVal, "^([a-zA-Z]*)")
nullif��
Description: Takes two values/fields as input. If the fields match, returns null, and if they don't, returns the first field's value.
In the example, testVal has the value "hello world", and testVal2 has the value "hello world". res is assigned the value null.
... | eval res=nullif(testVal, testVal2)
In the example, testVal has the value "hello world", and testVal2 has the value "test case". res is assigned the value "hello world".
... | eval res=nullif(testVal, testVal2)
case
Description: Accepts a list of condition - value pairs, returning the value when the condition is met. The list is checked in order, and the first successful condition is returned.
In the example, 'type' has the value "vpn", and extended_status is assigned "VirtualPN".
... | eval extended_status=case('type' == "vpn", "VirtualPN", 'type' == "", "NA")
In the example, 'type' is empty, and extended_status is assigned "NA".
... | eval extended_status=case('type' == "vpn", "VirtualPN", 'type' == "", "NA")
if
Description: Checks whether a condition matches, returning the first value if it does and the second value if it doesn't.
In the example, errNo has the value -1, and res is assigned "OK".
... | eval res = if(errNo == -1, "OK", "NOTOK")
In the example, errNo has the value 503, and res is assigned "NOTOK".
... | eval res = if(errNo == -1, "OK", "NOTOK")
validate
Description: Takes pairs of condition - value, returning the value when the first condition is not met. The list is checked in order, returning the first successful condition.
In the example, log.offset has the value 3090005, and validate_result is assigned "MIN".
... | eval validate_result=validate(log.offset < 3090000, "MIN", (log.offset >= 3090001 AND log.offset <= 3100000), "MEDIUM", log.offset > 3100000, "MAX")
In the example, log.offset has the value 3080000, and validate_result is assigned "MEDIUM".
... | eval validate_result=validate(log.offset < 3090000, "MIN", (log.offset >= 3090001 AND log.offset <= 3100000), "MEDIUM", log.offset > 3100000, "MAX")
TRUE, FALSE, NULL
Description: Assigns the field a value of true, false, or null.
In the example, res is assigned the value true.
... | eval res = TRUE()
In the example, res is assigned the value false.
.. | eval res = FALSE()
In the example, res is assigned the value null.
... | eval res = NULL()