Skip to content

case_equals - Shorthand for case for equals operations

This shorthand will allow users to quickly define case statements based on string == logic. It is very useful for shortening queries that would otherwise have to repeat conditional statements over and over.

Note

This case statement, like all case statements, will return the first matching value. This means the order of your clauses in your case statement are extremely important.

Syntax

case_equals {
  e: any,
  value1 -> result1,
  value2 -> result2,
  ...
  valueN -> resultN
  _      -> default
}

Example - Flagging different environments for alerting:

Our goal is to add a field, should_alert which is true is alerts should fire for this environment, and false if alerts should be ignored. Consider the following log documents:

{
  "cluster_name": "acme-prod-cluster",
  ...
},
{
  "cluster_name": "acme-dev-cluster",
  ...
},
{
  "cluster_name": "acme-stg-cluster"
}

We can see from the cluster name what our environment should be, and we're able to map the cluster name to our new value:

case_equals {
  $d.cluster_name,
  'acme-prod-cluster' -> true,
  'acme-dev-cluster'  -> false,
  'acme-stg-cluster'  -> true,
  _        -> false
}

We can then save the output of this into a new field, like so:

create should_alert from 
  case_equals {
    $d.cluster_name,
    'acme-prod-cluster' -> true,
    'acme-dev-cluster'  -> false,
    'acme-stg-cluster'  -> true,
    _        -> false
  }
Previous Previous case_contains
Next case_greaterthan Next
Home
User Guides User Guides
DataPrime DataPrime
Integrations Integrations
OpenTelemetry OpenTelemetry
Developer Portal Developer Portal