This function allows to choose one out of two expressions based
on a condition. It provides a functionality similar to the
... ? ... : ... operator known
from some programming languages.
Unlike a case or
match statement, the
if() can be embedded into other functions
and expressions.
Creates a new timechart, generating a new series,
customer that uses a
compound function. In this example, the embedded function is
generating an array of values, but the array values are
generated by an embedded aggregate. The embedded aggregate
(defined using the {} syntax),
creates a sum() and
count() value across the events grouped by
the value of success
field generated from the filter query. This is counting the
11 or
0 generated by the
if() function; counting all the values and
adding up the ones for successful values. These values will be
assigned to the success
and total fields. Note
that at this point we are still within the aggregate, so the two
new fields are within the context of the aggregate, with each
field being created for a corresponding
success value.
logscale
|pct_successful:=(success/total)*100
Calculates the percentage that are successful. We are still
within the aggregate, so the output of this process will be an
embedded set of events with the
total and
success values grouped
by each original HTTP response code.
logscale
|drop([success,total])}],span=15m,limit=100)
Still within the embedded aggregate, drop the
total and
success fields from the
array generated by the aggregate. These fields were temporary to
calculate the percentage of successful results, but are not
needed in the array for generating the result set. Then, set a
span for the buckets for the events of 15 minutes and limit to
100 results overall.
Event Result set.
Summary and Results
This query shows how an embedded aggregate can be used to
generate a sequence of values that can be formatted (in this
case to calculate percentages) and generate a new event series
for the aggregate values.
Categorize Errors in Log Levels
Categorize errors in log levels using the in() function in combination with if()
In this more advanced example, the
if() function is used to categorize errors
based on a time condition and it compares the status of a log
level and decides on the log's criticality. The field
critical_status is going
to be evaluated based on the if() function.
Searches for events where the field
status contains the
values 500 or
400 and assigns the value
Critical to a field named
critical_status for the
returned results. If the values are not equal to
500 or
400, then the returned
events will have the value
Non-Critical assigned to
the field
critical_status.
Event Result set.
Summary and Results
The query is used to categorize errors in log levels according
to their criticality.
When parsing and processing data, the time of the data can be
critical, and not all events include an explicit
@timestamp field, but the ingest time stamp,
when the event was parsed by LogScale, can be a suitable proxy.
The lack of timestamp, or a significant difference between the
timestamps may result in displaying an empty value (or creating an
event stream that cannot be summarized in a graph).
When summarizing and displaying data, it may be necessary to
derive a score or validity based on a test value. This can be
achieved using if() by creating the score
value if the underlying field is over a threshold value.
Step-by-Step
Starting with the source repository events.
logscale
percentile(filesize,percentiles=[40,80],as=score)
Calculates the percentile() for the
filesize field and
determines what filesize that is above 40%% of the overall event
set, and 80%% of the overall event set.
Compares whether the
filesize is greater than
80%% of the events, setting
symbol to
:+1:. Because
if() functions can be embedded, the
else parameter is
another if() statement that sets
symbol to
so-so if the size is
greater than 40%%, or :+1:
otherwise.
Event Result set.
Summary and Results
Using if() is the best way to make
conditional choices about values. The function has the benefit
of being able to be embedded into other statements, unlike
case.
When processing event data, there are occasions when a value needs
to be determined from another field in the event. In this example,
the field keyprocess is
populated based on the #eventType tag.