case_greaterthan - Shorthand for case for greater than operations
This shorthand will allow users to quickly define case statements for numeric comparisons where a given value is larger than the comparison field.
Note
This case statement, like all case statements, will return the first matching value. This means the order of your clauses in your case statement are extremely important.
Syntax
case_greaterthan {
n: number,
value1: number -> result1,
value2: number -> result2,
...
valueN: number -> resultN,
_ -> <default-value>
}
Example - Mapping numeric HTTP status codes to text descriptions
Our goal is to add a field, status_description which is a text description of a given HTTP Status code. Consider the following log documents:
We simply need to use the status_code field as our candidate, and compare in descending order. We compare in descending order because the case statement will return the first value that matches. For example, a value of 404 should not match 500 but it should match 400 and nothing else.
Note
Each threshold must be reduced by 1 because case_greaterthan uses a strict "greater than" comparison (not "greater than or equal to"). For example, to capture status codes in the 4xx range, you should use 399 as the threshold, not 400.
case_greaterthan {
$d.status_code,
499 -> 'server-error',
399 -> 'client-error',
299 -> 'redirection',
199 -> 'success',
99 -> 'information',
_ -> 'other'
}
We can then save the output of this into a new field, like so:
create status_description from
case_greaterthan {
$d.status_code,
499 -> 'server-error',
399 -> 'client-error',
299 -> 'redirection',
199 -> 'success',
99 -> 'information',
_ -> 'other'
}