Introduction

The iff function evaluates a single Boolean predicate and returns one of two values depending on the result. Use it to add binary flag columns, choose between two computed expressions, or conditionally override a value in one step.

The iif function is an alias for iff and behaves identically. For three or more branches, use case instead.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL uses if(condition, value_if_true, value_if_false) inside an eval command. APL's iff takes the same three arguments in the same order.

```sql Splunk example ... | eval speed = if(req_duration_ms > 1000, "slow", "fast") ``` 
['sample-http-logs']
| extend speed = iff(req_duration_ms > 1000, 'slow', 'fast')

SQL Server provides IIF(condition, value_if_true, value_if_false), which maps directly to APL's iff. In ANSI SQL you can also write CASE WHEN condition THEN value_if_true ELSE value_if_false END, which is equivalent.

```sql SQL example SELECT IIF(req_duration_ms > 1000, 'slow', 'fast') AS speed FROM sample_http_logs ``` 
['sample-http-logs']
| extend speed = iff(req_duration_ms > 1000, 'slow', 'fast')

Usage

Syntax

iff(predicate, ifTrue, ifFalse)

Parameters

Name Type Required Description
predicate bool Yes Expression that evaluates to true or false.
ifTrue scalar Yes Value returned when predicate is true.
ifFalse scalar Yes Value returned when predicate is false. Must be the same type as ifTrue.

Returns

The value of ifTrue when predicate evaluates to true, or ifFalse otherwise.

To return a null value from `iff`, use `dynamic(null)`. 
iff(condition, dynamic(null), value)

Use case examples

Flag requests that take longer than one second to identify slow endpoints.

Query

['sample-http-logs']
| extend is_slow = iff(req_duration_ms > 1000, 'slow', 'fast')
| summarize count() by is_slow

Run in Playground

Output

is_slow count_
fast 9630
slow 501

The query adds a is_slow column to each request and then counts how many fall into each category.

Label spans as long or short based on their duration to get a quick overview of latency distribution per service.

Query

['otel-demo-traces']
| extend is_long = iff(duration > 500ms, 'long', 'short')
| summarize count() by is_long, ['service.name']

Run in Playground

Output

is_long service.name count_
short frontend 4210
short cart 1830
long checkout 423
long product-catalog 182

The query shows how many spans per service exceed the 500 ms threshold.
  • case: Multi-branch conditional that evaluates a list of conditions and returns the first matching result. Use case when you have three or more outcomes.
  • coalesce: Returns the first non-null value from a list of expressions. Use coalesce when you want to fall back from null rather than branch on a condition.

Good afternoon

I'm here to help you with the docs.

I
AIBased on your context