Introduction
The case function evaluates a sequence of condition-result pairs and returns the value of the first condition that evaluates to true. Use it to map raw values to human-readable labels, define alert severity tiers, or apply multi-way branching in a single expression instead of chaining multiple iff calls.
case is particularly useful when you need to classify log events into categories, route spans into latency buckets, or assign risk scores to requests based on several attributes at once.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the case() function inside eval takes alternating condition-value pairs. APL's case works the same way: provide pairs of (condition, value) followed by a fallback value.
['sample-http-logs']
| extend severity = case(status == '200', 'success', status == '404', 'not found', 'other')SQL uses CASE WHEN condition THEN value ... ELSE fallback END. APL's case is functionally equivalent but uses a compact function-call syntax. The last argument serves as the ELSE value.
['sample-http-logs']
| extend severity = case(status == '200', 'success', status == '404', 'not found', 'other')Usage
Syntax
case(condition1, result1 [, condition2, result2, ...], nothingMatchedResult)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| conditionn | bool | Yes | Expression to evaluate. APL tests conditions in order and returns the result paired with the first true condition. |
| resultn | scalar | Yes | Value returned when the preceding condition is the first to evaluate to true. All result expressions must be of the same type. |
| nothingMatchedResult | scalar | Yes | Value returned when no condition evaluates to true. Must be the same type as the result expressions. |
Returns
The value paired with the first condition that evaluates to true, or nothingMatchedResult if no condition is true.
Use case examples
Classify HTTP responses by status code to summarize request outcomes.
Query
['sample-http-logs']
| extend severity = case(
status == '200', 'success',
status == '404', 'not found',
status == '500', 'server error',
'other'
)
| summarize count() by severityOutput
| severity | count_ |
|---|---|
| success | 8412 |
| other | 1203 |
| not found | 534 |
| server error | 182 |
The query assigns a human-readable label to each request based on its HTTP status code, then counts how many requests fall into each category.
Classify span durations into latency tiers to surface the slowest services.
Query
['otel-demo-traces']
| extend priority = case(
duration > 1s, 'critical',
duration > 500ms, 'high',
duration > 100ms, 'medium',
'low'
)
| summarize count() by priority, ['service.name']Output
| priority | service.name | count_ |
|---|---|---|
| low | frontend | 4210 |
| medium | checkout | 823 |
| high | cart | 144 |
| critical | product-catalog | 38 |
The query buckets spans into four latency tiers and shows how many spans each service contributes to each tier.
Assign risk levels to requests based on HTTP status codes and methods to prioritize investigation.
Query
['sample-http-logs']
| extend risk_level = case(
status == '401', 'unauthorized',
status == '403', 'forbidden',
status == '500', 'server error',
method == 'DELETE', 'destructive',
'normal'
)
| summarize count() by risk_level
| sort by count_ descOutput
| risk_level | count_ |
|---|---|
| normal | 9100 |
| unauthorized | 430 |
| forbidden | 312 |
| server error | 182 |
| destructive | 71 |
The query flags requests that may indicate security issues and summarizes them by risk category so you can see which types of events occur most frequently.