case
Description
Returns a value from the first clause whose condition evaluates to true.
Each clause is a condition -> value pair: when condition evaluates to true, case returns value. You can include any number of clauses, plus an optional _ -> default fallback. If no condition matches and no fallback is present, case returns null.
Note
case checks clauses top-to-bottom and returns the first match, so order matters.
Syntax
Arguments
| Name | Type | Required | Description |
|---|---|---|---|
| condition -> value | clause | true | A clause where condition is a boolean expression and value is what case returns when this is the first condition to evaluate to true. Repeat for as many branches as you need. |
| _ -> default | clause | false | Optional fallback clause. default is returned when no condition matches. |
Example
Use case: Map server IPs to owners by subnet
Suppose you want to enrich logs with the owner of each server based on its IP address. This can help route incidents to the right team.
You can use the ipInSubnet function inside a case statement to determine ownership. If no subnet matches, a default owner is assigned.
Example data
Example query
create server_owner from
case {
ipInSubnet(server_ip, '10.0.0.0/8') -> 'Chris',
ipInSubnet(server_ip, '165.0.0.0/8') -> 'George',
ipInSubnet(server_ip, '333.4.0.0/16') -> 'Maya',
_ -> 'DevOps Team'
}
Example output
{
"server_ip": "10.0.0.1",
"server_owner": "Chris"
},
{
"server_ip": "165.0.0.1",
"server_owner": "George"
},
{
"server_ip": "333.4.5.6",
"server_owner": "Maya"
}
Thank you for your feedback!
Theme
Light