case_contains - Shorthand for case for string contains operations
This shorthand will allow users to quickly define case statements based on string contains
logic. It is very useful for shortening queries that would otherwise have to repeat conditional statements over and over.
NOTE: This case statement, like all case statements, will return the first matching value. This means the order of your clauses in your case statement are extremely important.
Syntax
case_contains {
s: string,
substring1 -> result1,
substring2 -> result2,
...
substring3 -> resultN
_ -> default
}
Example - Mapping values in a cluster name to full environment names:
Our goal is to convert the subsystem metadata field into a full environment name. Let's imagine we have the following log documents:
{
cluster_name: acme-prod-cluster,
...
},
{
cluster_name: acme-dev-cluster,
...
},
{
cluster_name: acme-stg-cluster
}
We can see from the cluster name what our environment should be, and using the case_contains
keyword makes it easy to perform the mapping:
case_contains {
$d.cluster_name,
'-prod-' -> 'production',
'-dev-' -> 'development',
'-stg-' -> 'staging',
_ -> 'test'
}
We can then save the output of this into a new field, like so:
create environment_name from
case_contains {
$d.cluster_name,
'-prod-' -> 'production',
'-dev-' -> 'development',
'-stg-' -> 'staging',
_ -> 'test'
}
Theme
Light