case_contains
Description
Returns a value based on whether a string contains one of several specified substrings.
This function is a shorthand for case expressions with contains() logic and helps shorten queries that would otherwise repeat conditional statements.
Behavior change
Earlier implementations of case_contains evaluated each clause with the text match (~) operator instead of contains(), which did not match the documented behavior. case_contains now correctly evaluates each clause with contains() for case-sensitive substring matching. If your query relied on the previous text-match behavior, use case_find instead.
Note
Like all case statements, case_contains returns the first matching value. The order of clauses is important.
Syntax
case_contains {
s: string,
substring1 -> result1,
substring2 -> result2,
...
substringN -> resultN,
_ -> default
}
Arguments
| Name | Type | Required | Description |
|---|---|---|---|
| s | string | true | The string to check for substrings |
| substring | string | true | A substring to search for within s |
| result | any | true | The value to return if the substring is found |
| _ | any | false | Default value if no substrings match |
Example
Use case: Map cluster names to environment names
Suppose you want to convert subsystem metadata into full environment names. Consider these log documents:
Example data
{
"cluster_name": "acme-prod-cluster"
},
{
"cluster_name": "acme-dev-cluster"
},
{
"cluster_name": "acme-stg-cluster"
}
Example query
create environment_name from
case_contains {
$d.cluster_name,
'-prod-' -> 'production',
'-dev-' -> 'development',
'-stg-' -> 'staging',
_ -> 'test'
}
Example output
{
"cluster_name": "acme-prod-cluster",
"environment_name": "production"
},
{
"cluster_name": "acme-dev-cluster",
"environment_name": "development"
},
{
"cluster_name": "acme-stg-cluster",
"environment_name": "staging"
}