Solved: How to add a conditional where based on the field ...

jieli · ‎04-24-2020

I use the command above to filter the result by looking into the json field cityCode, and verify if the value equals to my dropdown value selection, by default all cityCode would be included (%).
The issue is when the message does not have the cityCode field, the default select All cityCode will not work since the like (pcc,"%") would fail.

Currently, the conditional selection is inside the where clause, Is there a way to do conditional selection outside the where clause, meaning if I did not select cityCode, the where clause should be ignored completely.

manjunathmeti · ‎04-24-2020

hi @jieli,

Try this. Here pcc will be set to "" values when cityCode not exists in the events and like matches "" values.

mvexpand metrics | spath input=metrics | eval pcc = if(isnotnull(cityCode), cityCode, "") | where if($selected_pcc|s$="all",like(pcc,"%"),like(pcc,$selected_pcc|s$)) | stats count as Total

View solution in original post

manjunathmeti · ‎04-24-2020

hi @jieli,

Try this. Here pcc will be set to "" values when cityCode not exists in the events and like matches "" values.

mvexpand metrics | spath input=metrics | eval pcc = if(isnotnull(cityCode), cityCode, "") | where if($selected_pcc|s$="all",like(pcc,"%"),like(pcc,$selected_pcc|s$)) | stats count as Total

How to add a conditional where based on the field existence?

Get More Out of Your Security Practice With a SIEM

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

Enterprise Security Content Update (ESCU) | New Releases