Best Practice: Using case statements

On occasion, you may want to leverage case statements to complete string substitutions within given fields. While there are several ways to accomplish this in LogScale, the easiest and most common ways are below:

| case {
    UserIsAdmin=1 | UserIsAdmin := "True" ;
    UserIsAdmin := "False" ;
    * ;
  }

This is what we call a destructive case statement. The statement looks at the field UserIsAdmin and, if the value of that field is 1, it overwrites it with the string True. If the value of that field is 0, it overwrites that value with False.

Non-destructive case statements can also be used:

| case {
    UserIsAdmin=1 | UserIsAdmin_Readable := "True" ;
    UserIsAdmin=0 | UserIsAdmin_Readable := "False" ;
    * ;
  }

Now the statement looks at the field UserIsAdmin, and if the value of that field is 1, it sets the value of a new string UserIsAdmin_Readable to True, If the value of that field is 0, it sets the value of the new string UserIsAdmin_Readable to False.

A list of case statement transforms can be found on CrowdStrike's GitHub page here.

Knowledge Base

Best Practice: Using case statements

Enter search term