Add a Field Based on Values of Another Field - Example 1 | LogScale Query Examples

Add a Field Based on Values of Another Field - Example 1

Query

logscale

| statusClass :=
if(regex("^1", field=statuscode), then="informational", else=
if(regex("^2", field=statuscode), then="successful", else=
if(regex("^3", field=statuscode), then="redirection", else=
if(regex("^4", field=statuscode), then="client error", else=
if(regex("^5", field=statuscode), then="server error", else=
"unknown")))))

Introduction

Nested if() functions can be used within a larger expression for adding a field whose value is calculated based on another field.

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{Conditional} result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| statusClass :=
if(regex("^1", field=statuscode), then="informational", else=
if(regex("^2", field=statuscode), then="successful", else=
if(regex("^3", field=statuscode), then="redirection", else=
if(regex("^4", field=statuscode), then="client error", else=
if(regex("^5", field=statuscode), then="server error", else=
"unknown")))))
```
Add a statusClass field where the following conditions are set:
- If the value of field statuscode begins with 1, then statusClass is labeled as informational, otherwise:
- If the value of field statuscode begins with 2, then statusClass is labeled as successful, otherwise:
- If the value of field statuscode begins with 3, then statusClass is labeled as redirection, otherwise:
- If the value of field statuscode begins with 4, then statusClass is labeled as client error, otherwise:
- If the value of field statuscode begins with 5, then statusClass is labeled as server error, otherwise it is labeled as unknown.
Event Result set.