Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Data Extraction - condition

Table of contents
  1. condition


  • condition(expression, trueValue, falseValue) If expression == true, return trueValue, else return falseValue.


search {from="-8d@d", to="@d"}  
let timestamp=f("@timestamp")
let Type=condition(timestamp>=timerelative(timenow(),"-1d@d"),"Yesterday","LastWeek")
timechart {span="1h"} count() by Type 
let Hour=strftime("%H:%M", timestamp)  
aggregate YesterdayCount=max(Yesterday), AvgCount=avg(LastWeek) by Hour

In the example above, condition is used to generate two types facilitating the following functions (timechart and aggregate).