Best Practice: Using match statements

Using the match() function can be interchangeable with the case() function. A good rule to remember: if you know the target field you want to transform exists, there are some performance advantages with using match(). An example query using match() might look like this:

logscale
#event_simpleName=UserLogon event_platform=Lin
| UserIsAdmin match {
    1 => UserIsAdmin := "True" ;
    0 => UserIsAdmin := "False" ;
  }
| select([@timestamp, UserName, UID, LogonType, UserIsAdmin])

Since the field UserIsAdmin will always be in the event UserLogon, using match() can help improve the performance of large queries.

The format is: 

| targetField match {
    value1 => targetField := "substitution1" ;
    value2 => targetField := "substitution2" ;
  }