Best Practice: Using match statements

Using a match statement can be interchangeable with the case() function. A good rule to remember: if you know the target field you want to transform exists, there are some performance advantages with using match. An example query using match might look like this:

logscale

#event_simpleName=UserLogon event_platform=Lin
| UserIsAdmin match {
    1 => UserIsAdmin := "True" ;
    0 => UserIsAdmin := "False" ;
  }
| select([@timestamp, UserName, UID, LogonType, UserIsAdmin])

Since the field UserIsAdmin will always be in the event UserLogon, using match can help improve the performance of large queries.

The format is:

| targetField match {
    value1 => targetField := "substitution1" ;
    value2 => targetField := "substitution2" ;
  }

Knowledge Base

Best Practice: Using match statements

Enter search term