Introduction

The case function evaluates a sequence of condition-result pairs and returns the value of the first condition that evaluates to true. Use it to map raw values to human-readable labels, define alert severity tiers, or apply multi-way branching in a single expression instead of chaining multiple iff calls.

case is particularly useful when you need to classify log events into categories, route spans into latency buckets, or assign risk scores to requests based on several attributes at once.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk SPL, the case() function inside eval takes alternating condition-value pairs. APL's case works the same way: provide pairs of (condition, value) followed by a fallback value.

```sql Splunk example ... | eval severity = case(status==200, "success", status==404, "not found", "other") ```
['sample-http-logs']
| extend severity = case(status == '200', 'success', status == '404', 'not found', 'other')

SQL uses CASE WHEN condition THEN value ... ELSE fallback END. APL's case is functionally equivalent but uses a compact function-call syntax. The last argument serves as the ELSE value.

```sql SQL example SELECT CASE WHEN status = '200' THEN 'success' WHEN status = '404' THEN 'not found' ELSE 'other' END AS severity FROM sample_http_logs ```
['sample-http-logs']
| extend severity = case(status == '200', 'success', status == '404', 'not found', 'other')

Usage

Syntax

case(condition1, result1 [, condition2, result2, ...], nothingMatchedResult)

Parameters

Name Type Required Description
conditionn bool Yes Expression to evaluate. APL tests conditions in order and returns the result paired with the first true condition.
resultn scalar Yes Value returned when the preceding condition is the first to evaluate to true. All result expressions must be of the same type.
nothingMatchedResult scalar Yes Value returned when no condition evaluates to true. Must be the same type as the result expressions.

Returns

The value paired with the first condition that evaluates to true, or nothingMatchedResult if no condition is true.

Use case examples

Classify HTTP responses by status code to summarize request outcomes.

Query

['sample-http-logs']
| extend severity = case(
    status == '200', 'success',
    status == '404', 'not found',
    status == '500', 'server error',
    'other'
  )
| summarize count() by severity

Run in Playground

Output

severity count_
success 8412
other 1203
not found 534
server error 182

The query assigns a human-readable label to each request based on its HTTP status code, then counts how many requests fall into each category.

Classify span durations into latency tiers to surface the slowest services.

Query

['otel-demo-traces']
| extend priority = case(
    duration > 1s, 'critical',
    duration > 500ms, 'high',
    duration > 100ms, 'medium',
    'low'
  )
| summarize count() by priority, ['service.name']

Run in Playground

Output

priority service.name count_
low frontend 4210
medium checkout 823
high cart 144
critical product-catalog 38

The query buckets spans into four latency tiers and shows how many spans each service contributes to each tier.

Assign risk levels to requests based on HTTP status codes and methods to prioritize investigation.

Query

['sample-http-logs']
| extend risk_level = case(
    status == '401', 'unauthorized',
    status == '403', 'forbidden',
    status == '500', 'server error',
    method == 'DELETE', 'destructive',
    'normal'
  )
| summarize count() by risk_level
| sort by count_ desc

Run in Playground

Output

risk_level count_
normal 9100
unauthorized 430
forbidden 312
server error 182
destructive 71

The query flags requests that may indicate security issues and summarizes them by risk category so you can see which types of events occur most frequently.

  • iff: Returns one of two values based on a single Boolean predicate. Use iff for binary decisions and case when you have three or more outcomes.
  • coalesce: Returns the first non-null value from a list of expressions. Use coalesce to handle missing values rather than branching on conditions.

Good afternoon

I'm here to help you with the docs.

I
AIBased on your context