Conditional functions evaluate specific conditions or logical expressions and return a value based on whether the condition is true or false. These functions are used to apply logic within queries.
Comparison functions evaluate relationships between values, such as equality, inequality, or relative size. Based on the comparison, they return a true or false result.
In scenarios involving multiple If, If-else, and If-elseif-else statements, use the case keyword to streamline these statements.
Important
Case keyword’s functionality differs from that of the Case statement.
The if statement takes a condition and a string value, X, and evaluates the condition; if it’s true, it returns the value of X. When using a negative number in an if condition, it should be enclosed in parentheses ‘()’ for clarity.
Syntax:
| process eval("identifier=if(condition) {return X}")
or
| process eval("identifier = case(condition -> result)")
Example 1:
| process eval("User_severity=if(risk_score >= 5) {return 'Risk user'}")
| chart count() by risk_score, User_severity
Using if statement function¶
Here, the query checks if the risk_score field’s value is greater than or equal to 5 and returns Risk user value in the User_severity identifier.
The chart count() command displays the count of the combination of risk_score and User_severity values as a chart and in a tabular form.
Example 2:
A log with cpu_usage = 70.
Query:
| process eval("alert=case(
cpu_usage > 50 -> 'High',
cpu_usage > 20 -> 'Medium',
cpu_usage > 0 -> 'Low',
true -> 'Invalid')")
Output:
alert = High
Here, the case keyword sequentially evaluates multiple if conditions and returns High value in the alert identifier.
The if-else statement takes a condition and two string values, X and Y, and evaluates the condition; if it’s true, it returns the value of X; if it isn’t, it returns the value of Y. When using a negative number in an if condition, it should be enclosed in parentheses ‘()’ for clarity.
Syntax:
| process eval("identifier=if(condition) {return X} else {return Y}")
or
| process eval("identifier = case(condition1 -> result1, condition2 -> result2, ...)")
Example 1:
| process eval("is_profitloss=if((Selling_price%cost_price) == 0)
{return 'No profit/loss'} else {return 'profit/loss'}")
| fields Selling_price, cost_price, is_profitloss
Using if-else statement function¶
Here, the query checks if the remainder value when Selling_price field is divided by cost_price field is 0. It returns No profit/lost in the is_profitloss identifier if the condition is true, if it isn’t it returns profit/loss.
The fields command displays the value of Selling_price, cost_price and is_profitorloss in a tabular form.
Example 2:
A log with response_time = 90
Query:
| process eval("time=case(
(response_time > 200 && response_time < 500) -> 'Big',
(response_time >= 100 && response_time <= 200) -> 'Medium',
(response_time < 100) -> 'Low',
true -> 'Invalid')")
Output:
time = Low
Here, the case keyword sequentially evaluates multiple if-else conditions and returns Low value in the time identifier.
If the first condition were false, the second condition would be evaluated, and so on. If all specified conditions failed, the true -> ‘Invalid’ condition would ensure time = invalid.
It takes one or more alternating conditions and values. It compares the condition in the following order.
If the first condition is true, it returns the value provided in X,
If it isn’t true, it compares the second condition;
If the second condition is true, it returns the value provided in Y,
If it isn’t true, it returns the value provided in Z.
When using a negative number in an if condition, it should be enclosed in parentheses ‘()’ for clarity.
Syntax:
| process eval("identifier=if(condition){return X} else-if(condition) {return Y} else { return Z}")
or
| process eval("identifier = case(condition1 -> result1, condition2 -> result2, condition3 -> result3, default_case)")
Example 1:
| process eval("User_severity=if(risk_score > 5) {return 'Risk user'}
else-if(risk_score<=0) {return 'No risk'} else {return 'Normal user'}")
| fields risk_score, User_severity
Using if-elseif-else statement function¶
Here, the query checks if the risk_score field’s value is greater than 5. It returns Risk user in the User_severity identifier if the condition is true, if it isn’t it compares the second condition. It checks if the risk_score field’s value is less than or equal to 0 and returns No risk if true. If both of these conditions is false, it returns Normal user.
The fields command displays the value of risk_score and User_severity in a tabular form.
Example 2:
A log with serverity = Medium and event_type = Network Activity.
Query:
| process eval("event_category=case(
(severity == 'Critical' && event_type == 'Malware Detection') -> 'High Priority - Immediate Attention',
(severity == 'High' && event_type == 'Authentication') -> 'Medium Priority - Review',
(severity == 'Medium' && event_type == 'Network Activity') -> 'Low Priority - Monitor',
(severity == 'Low' && event_type == 'Authentication') -> 'Informational - No Action Needed',
(severity == 'Low' && event_type == 'Network Activity') -> 'Informational - Monitor',
true -> 'Invalid Event Data')")
Output:
event_category = Low Priority - Monitor
Here, the case keyword sequentially evaluates multiple If-elseif-else conditions and returns Low Priority - Monitor value in the event_category identifier.
Accepts one or more alternating conditions and values. It compares the condition with the following order.
if case_one matches the value of the data, it returns the value provided in X,
if it doesn’t match, it checks if the case_two matches the value of the data;
if the condition is true, it returns the value in Y,
if it isn’t it returns the value in Z by default.
Syntax:
| process eval("identifier=switch(data) {case(case_one) {return X}
case(case_two) {return Y} default {return Z}}")
Example:
| process eval("Access_type=switch(action) {case('allow') {return 'Allow access'}
case('deny') {return 'Deny access'} default {return 'Forward access'}}")
| fields action, Access_type
Using case statement function¶
Here, the query returns Allow access in the Access_type identifier if the action field’s value is access. If it isn’t, it checks if the value of action is deny and returns Deny access. If both values don’t match, it returns Forward access by default.
The fields command displays the value of action and Access_type in a tabular form.
Accepts two arguments, a CIDR (Classless Inter-Domain Routing) notation, and an IP address. It returns true if the IP address matches the CIDR notation, if it doesn’t it returns false.
Syntax:
| process eval("identifier=cidrmatch(CIDR, IP)")
Example:
| process eval("is_local_ip=cidrmatch('127.0.0.0/8', device_ip)")
Using cidrmatch function¶
Here, the query returns true in the is_local_ip identifier if the device_ip field’s value matches the CIDR notation 127.0.0.0/8, if it doesn’t match it returns false.
Accepts an arbitrary number of arguments as input and returns the value of the first argument that is not null.
Syntax:
| process eval("identifier=coalesce(X,Y,...)")
Example:
| process eval("ip_add=coalesce(ip_address,device_ip)")
| fields ip_address, device_ip, ip_add
Using coalesce function¶
Here, the query returns the ip_address field’s value in the ip_add identifier if the value is not null. If it is null, it checks the value of the device_ip field. If the device_ip field’s value is not null, it returns its value in the ip_add identifier.
The fields command displays the value of ip_address, device_ip and ip_add in a tabular form.
Returns false. The function in combination with other functions represents a condition that is absolutely false, 1==0. Unlike other functions, this function does not take any argument.
Syntax:
| process eval("identifier=false()")
Example:
| process eval("is_profit=if(Selling_price > cost_price) {return true()} else {return false()}")
| chart count() by Selling_price, cost_price, is_profit
Using false function¶
Here, the query checks the value in the Selling_price and cost_price fields. It returns true in the is_profit identifier if the Selling_price is greater than the cost_price, if it isn’t it returns false.
The chart count() command displays the count of the combination Selling_price and cost_price values as a chart and in a tabular form.
Accepts a field of an event and a list of string values. It returns true if one of the values in the list matches the value specified in the field, if it doesn’t it returns false.
Syntax:
| process eval("identifier=in(field, value1, value2, value3, ...)")
Example:
| process eval("isUserAdmin=in(user, 'Administrator', 'administrator', 'Admin', 'admin')")
| chart count() by user, isUserAdmin
Using in function¶
Here, the query returns true in the isUserAdmin identifier if the user field’s value matches with any one value in the list: Administrator, administrator, Admin and admin, if it does’t it returns false.
The chart count() command displays the count of the combination of user and isUserAdmin values as a chart and in a tabular form.
Accepts a text field X and a regex (regular expression) string. It returns true or false based on whether the given regular expression finds a match against any substring of the text in the field X.
It also returns true if the text in regex string exactly matches the text in the field X.
Syntax:
| process eval("identifier=match(X, regex)")
Example:
| process eval("is_coltype_filesystem=match(col_type,'file.*')") | chart count() by col_type, is_coltype_filesystem
Using match function¶
Here, the query compares the regex string file. with the value in the col_type field. It returns true in the is_coltype_filesystem identifier if the pattern is an exact match or is a substring of the col_type field’s value, if it doesn’t match it returns false.
The chart count() command displays the count of the combination of col_type and is_coltype_filesystem values as a chart and in a tabular form.
Accepts a text field X and a pattern. It returns true if the text in X matches the given pattern, if it doesn’t match it returns false. This function also returns true if the text in the pattern exactly matches the text in the X field.
The pattern supports a regular expression as well as the percent character (%) for wildcards and an underscore character (_) for a single character match.
Syntax:
| process eval("identifier=like(X, pattern)")
Example:
| process eval("is_coltype_syslog=like(col_type,'sys%')")
| chart count() by col_type, is_coltype_syslog
Using like function¶
Here, the query compares the sys% pattern with the col_type field’s value. It returns true in the is_coltype_filesystem identifier if the sys% pattern is an exact match or is a substring of the col_type field’s value, if it doesn’t match it returns false.
The chart count() command displays the count of the combination of col_type* and **is_coltype_syslog values as a chart and in a tabular form.
Returns null. You use the null function in combination with other functions. Use this function if you do not want any value returned in the user interface. Unlike other functions, this function does not take any argument.
Syntax:
| process eval("identifier=null()")
Example:
| process eval("User_severity=if(score <= 5) {return null() } else {return 'Risk user'}")
| chart count() by score, User_severity
Using null function¶
Here, the query returns null in the User_severity identifier if the score field’s value is less or equal to 5, if it isn’t it returns Risk user.
The chart count() command displays the count of the combination of score and User_severity values as a chart and in a tabular form.
Compares two arguments: X and Y. If X = Y, it returns null, if it isn’t equal it returns the value of X.
Syntax:
| process eval("identifier=nullif(X, Y)")
Example:
| process eval("access_type=nullif(access,'DELETE')")
| chart count() by access, access_type
Using nullif function¶
Here, the query returns null in the access_type identifier if the access field’s value is DELETE, if it isn’t it returns the value of the access.
The chart count() command displays the count of the combination of access and access_type values as a chart and in a tabular form.
Accepts a string field X as input. It returns true if the value of X matches the event type, if it doesn’t match it returns false. You can use the pipe ( | ) symbol to separate multiple values of X.
Syntax:
| process eval("identifier=searchmatch(X)")
Example:
| process eval("is_authenticaion_event=searchmatch('Authentication | Access')")
Using searchmatch function¶
Here, the query returns null in the is_authentication_event identifier if the access field’s value is DELETE, if it isn’t it returns false.
Returns true. It is often used in combination with other functions to represent a condition that is undoubtedly true, 1==1. Unlike other functions, this function does not take any argument.
Syntax:
| process eval("identifier=true()")
Example:
| process eval("is_profit=if(Selling_price > cost_price) {return true()} else {return false()}")
| chart count() by Selling_price, cost_price, is_profit
Uisng true function¶
Here, the query returns true in the is_profit identifier if the Selling_price field’s value is greater than the value of the cost_price field. If it isn’t, it returns false.
The chart count() command displays the count of the combination of Selling_price, cost_price and is_profit values as a chart and in a tabular form.
Accepts three arguments: X, Y and Z. It returns true if the value of X is within Y separated by a delimiter Z. If X is not listed, the function returns false. In the absence of a delimiter, the comma is a default delimiter.
Syntax:
| process eval("identifier=contains(X, Y, Z)")
Example:
| process eval("exists=contains('log','/var/log/syslog', '/') ")
Using contains function¶
Here, the query returns true in the exists identifier if the log* string is within /var/log/syslog string separated by / delimiter. If the log string is not listed, the function returns false.
Checks a string or its sub strings from data with any list of case-insensitive strings. It accepts two arguments: X and Y. It returns true if X or substring of X is present in Y, if it isn’t present it returns false.
Syntax:
| process eval("identifier=contains(X, Y)")
X: It is a string.
Y: It is a list.
Example 1:
| process eval("result = has_any('hi.exe', '.exe,.dmg')")
Using has_any function¶
Here, the query searches hi.exe string in the .exe,.dmg list and return true value in result field as the substring .exe is present in the list.
Example 2:
| process eval("result=has_any('This was a language.',kb_list)")
Using has_any function¶
Here, the query searches This was a language. string or its sub string in the kb_list and returns true value in result field.