if()

`if()`

This function allows to choose one out of two expressions based on a condition. It provides a functionality similar to the ... ? ... : ... operator known from some programming languages.

Unlike a case or match statement, the if() can be embedded into other functions and expressions.

Parameter	Type	Required	Default Value	Description
`as`	string	optional^[a]	`_if`	The name of the output destination field.
`condition`^[b]	expression	required		The conditional expression to evaluate.
`else`	expression	required		The alternative statement to execute.
`then`	expression	required		The consequent statement to execute.
^[a]Optional parameters use their default value unless explicitly set. ^[b]The parameter name `condition` can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

The behavior of:

logscale

if(cond, then=onTrue, else=onFalse, as=y)

is equivalent to a case expression:

logscale

case {
  test(cond)
| y := onTrue;
  y := onFalse
}

In particular:

The interpretation of condition is the same as the expression argument of test().
The evaluation of then / else arguments is the same as the evaluation of the right-hand side of :=.

The if() function:

is a simplified version of the case / match based alternative.
can be used as an expression inside other expressions.

`if()` Examples

Click + next to an example below to get the full details.

Add a Field Based on Values of Another Field - Example 1

Add a Field Based on Values of Another Field - Example 2

Add a Field Based on Values of Another Field - Example 3

Calculate a Percentage of Successful Status Codes Over Time

Starting with the source repository events.
logscale
```
| success := if(status >= 500, then=0, else=1)
```
Adds a success field at the following conditions:
- If the value of field status is greater than or equal to 500, set the value of success to 0, otherwise to 1.
logscale
```
| timeChart(series=customer,function=
[
  {
    [sum(success,as=success),count(as=total)]
```
Creates a new timechart, generating a new series, customer that uses a compound function. In this example, the embedded function is generating an array of values, but the array values are generated by an embedded aggregate. The embedded aggregate (defined using the {} syntax), creates a sum() and count() value across the events grouped by the value of success field generated from the filter query. This is counting the 11 or 0 generated by the if() function; counting all the values and adding up the ones for successful values. These values will be assigned to the success and total fields. Note that at this point we are still within the aggregate, so the two new fields are within the context of the aggregate, with each field being created for a corresponding success value.
logscale
```
| pct_successful := (success/total)*100
```
Calculates the percentage that are successful. We are still within the aggregate, so the output of this process will be an embedded set of events with the total and success values grouped by each original HTTP response code.
logscale
```
| drop([success,total])}],span=15m,limit=100)
```
Still within the embedded aggregate, drop the total and success fields from the array generated by the aggregate. These fields were temporary to calculate the percentage of successful results, but are not needed in the array for generating the result set. Then, set a span for the buckets for the events of 15 minutes and limit to 100 results overall.
Event Result set.

Categorize Errors in Log Levels

Categorize errors in log levels using the in() function in combination with if()

srcIP	loglevel	status	user	critical_status
192.168.1.5	ERROR	404	admin	Critical
10.0.0.1	INFO	200	user1	Non-Critical
172.16.0.5	WARN	422	user2	Non-Critical
192.168.1.15	ERROR	500	admin	Critical
10.0.0.12	DEBUG	302	user1	NonCritical

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

if() Examples

Add a Field Based on Values of Another Field - Example 1

Query

Introduction

Step-by-Step

Summary and Results

Add a Field Based on Values of Another Field - Example 2

Query

Introduction

Step-by-Step

Summary and Results

Add a Field Based on Values of Another Field - Example 3

Query

Introduction

Step-by-Step

Summary and Results

Calculate a Percentage of Successful Status Codes Over Time

Query

Introduction

Step-by-Step

Summary and Results

Categorize Errors in Log Levels

Query

Introduction

Step-by-Step

Summary and Results

Convert Timestamps Based on Accuracy

Query

Introduction

Step-by-Step

Summary and Results

Determine a Score Based on Field Value

Query

Introduction

Step-by-Step

Summary and Results

Set a Field Value Based on Tag Value

Query

Introduction

Step-by-Step

Summary and Results

Use Multiple if() Functions

Query

Introduction

Step-by-Step

Summary and Results

Version Support

Enter search term

`if()`

`if()` Examples