Skip to main content Link Search Menu Expand Document (external link)

Data Extraction - condition

Table of contents
  1. condition

condition

  • condition(expression, trueValue, falseValue) If expression == true, return trueValue, else return falseValue.

Example:

search {from="-8d@d", to="@d"}  
let timestamp=f("@timestamp")
let Type=condition(timestamp>=timerelative(timenow(),"-1d@d"),"Yesterday","LastWeek")
timechart {span="1h"} count() by Type 
let Hour=strftime("%H:%M", timestamp)  
aggregate YesterdayCount=max(Yesterday), AvgCount=avg(LastWeek) by Hour

In the example above, condition is used to generate two types facilitating the following functions (timechart and aggregate).