Axiom Docs

Introduction

The case function evaluates a sequence of condition-result pairs and returns the value of the first condition that evaluates to true. Use it to map raw values to human-readable labels, define alert severity tiers, or apply multi-way branching in a single expression instead of chaining multiple iff calls. case is particularly useful when you need to classify log events into categories, route spans into latency buckets, or assign risk scores to requests based on several attributes at once.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk SPL, the case() function inside eval takes alternating condition-value pairs. APL’s case works the same way: provide pairs of (condition, value) followed by a fallback value.

... | eval severity = case(status==200, "success", status==404, "not found", "other")

ANSI SQL users

SQL uses CASE WHEN condition THEN value ... ELSE fallback END. APL’s case is functionally equivalent but uses a compact function-call syntax. The last argument serves as the ELSE value.

SELECT
  CASE
    WHEN status = '200' THEN 'success'
    WHEN status = '404' THEN 'not found'
    ELSE 'other'
  END AS severity
FROM sample_http_logs

Usage

Syntax

case(condition1, result1 [, condition2, result2, ...], nothingMatchedResult)

Parameters

Name	Type	Required	Description
conditionn	bool	Yes	Expression to evaluate. APL tests conditions in order and returns the result paired with the first `true` condition.
resultn	scalar	Yes	Value returned when the preceding condition is the first to evaluate to `true`. All result expressions must be of the same type.
nothingMatchedResult	scalar	Yes	Value returned when no condition evaluates to `true`. Must be the same type as the result expressions.

Returns

The value paired with the first condition that evaluates to true, or nothingMatchedResult if no condition is true.

Use case examples

Log analysis
OpenTelemetry traces
Security logs

Classify HTTP responses by status code to summarize request outcomes.Query

['sample-http-logs']
| extend severity = case(
    status == '200', 'success',
    status == '404', 'not found',
    status == '500', 'server error',
    'other'
  )
| summarize count() by severity

Run in PlaygroundOutput

severity	count_
success	8412
other	1203
not found	534
server error	182

The query assigns a human-readable label to each request based on its HTTP status code, then counts how many requests fall into each category.

Classify span durations into latency tiers to surface the slowest services.Query

['otel-demo-traces']
| extend priority = case(
    duration > 1s, 'critical',
    duration > 500ms, 'high',
    duration > 100ms, 'medium',
    'low'
  )
| summarize count() by priority, ['service.name']

Run in PlaygroundOutput

priority	service.name	count_
low	frontend	4210
medium	checkout	823
high	cart	144
critical	product-catalog	38

The query buckets spans into four latency tiers and shows how many spans each service contributes to each tier.

Assign risk levels to requests based on HTTP status codes and methods to prioritize investigation.Query

['sample-http-logs']
| extend risk_level = case(
    status == '401', 'unauthorized',
    status == '403', 'forbidden',
    status == '500', 'server error',
    method == 'DELETE', 'destructive',
    'normal'
  )
| summarize count() by risk_level
| sort by count_ desc

Run in PlaygroundOutput

risk_level	count_
normal	9100
unauthorized	430
forbidden	312
server error	182
destructive	71

The query flags requests that may indicate security issues and summarizes them by risk category so you can see which types of events occur most frequently.

iff: Returns one of two values based on a single Boolean predicate. Use iff for binary decisions and case when you have three or more outcomes.
coalesce: Returns the first non-null value from a list of expressions. Use coalesce to handle missing values rather than branching on conditions.

Introduction

APL

MPL

​Introduction

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related functions

Introduction

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related functions