ES|QL CASE function

×

condition

A condition.

trueValue

The expression or value that’s returned when the corresponding condition is the first to evaluate to true. Can be a column reference or any other expression. The default value is returned when no condition matches.

elseValue

The value that’s returned when no condition evaluates to true.

Accepts pairs of conditions and values. The function returns the value that belongs to the first condition that evaluates to true. Both the conditions and the returned values can be any expression, including column references. If the number of arguments is odd, the last argument is the default value which is returned when no condition matches. If the number of arguments is even, and no condition matches, the function returns null.

Determine whether employees are monolingual, bilingual, or polyglot:

FROM employees
| EVAL type = CASE(
    languages <= 1, "monolingual",
    languages <= 2, "bilingual",
     "polyglot")
| KEEP emp_no, languages, type
		

Calculate the total connection success rate based on log messages:

FROM sample_data
| EVAL successful = CASE(
    STARTS_WITH(message, "Connected to"), 1,
    message == "Connection error", 0
  )
| STATS success_rate = AVG(successful)
		

Calculate an hourly error rate as a percentage of the total number of log messages:

FROM sample_data
| EVAL error = CASE(message LIKE "*error*", 1, 0)
| EVAL hour = DATE_TRUNC(1 hour, @timestamp)
| STATS error_rate = AVG(error) by hour
| SORT hour
		

Extract error messages and count distinct ones using a column expression:

FROM sample_data
| EVAL error_message = CASE(message LIKE "*error*", message, null)
| STATS distinct_error_messages = COUNT_DISTINCT(error_message)