Axiom Docs

Introduction

The iff function evaluates a single Boolean predicate and returns one of two values depending on the result. Use it to add binary flag columns, choose between two computed expressions, or conditionally override a value in one step. The iif function is an alias for iff and behaves identically. For three or more branches, use case instead.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

Splunk SPL uses if(condition, value_if_true, value_if_false) inside an eval command. APL’s iff takes the same three arguments in the same order.

... | eval speed = if(req_duration_ms > 1000, "slow", "fast")

ANSI SQL users

SQL Server provides IIF(condition, value_if_true, value_if_false), which maps directly to APL’s iff. In ANSI SQL you can also write CASE WHEN condition THEN value_if_true ELSE value_if_false END, which is equivalent.

SELECT IIF(req_duration_ms > 1000, 'slow', 'fast') AS speed
FROM sample_http_logs

Usage

Syntax

iff(predicate, ifTrue, ifFalse)

Parameters

Name	Type	Required	Description
predicate	bool	Yes	Expression that evaluates to `true` or `false`.
ifTrue	scalar	Yes	Value returned when `predicate` is `true`.
ifFalse	scalar	Yes	Value returned when `predicate` is `false`. Must be the same type as `ifTrue`.

Returns

The value of ifTrue when predicate evaluates to true, or ifFalse otherwise.

To return a null value from iff, use dynamic(null).

iff(condition, dynamic(null), value)

Use case examples

Log analysis
OpenTelemetry traces

Flag requests that take longer than one second to identify slow endpoints.Query

['sample-http-logs']
| extend is_slow = iff(req_duration_ms > 1000, 'slow', 'fast')
| summarize count() by is_slow

Run in PlaygroundOutput

is_slow	count_
fast	9630
slow	501

The query adds a is_slow column to each request and then counts how many fall into each category.

Label spans as long or short based on their duration to get a quick overview of latency distribution per service.Query

['otel-demo-traces']
| extend is_long = iff(duration > 500ms, 'long', 'short')
| summarize count() by is_long, ['service.name']

Run in PlaygroundOutput

is_long	service.name	count_
short	frontend	4210
short	cart	1830
long	checkout	423
long	product-catalog	182

The query shows how many spans per service exceed the 500 ms threshold.

case: Multi-branch conditional that evaluates a list of conditions and returns the first matching result. Use case when you have three or more outcomes.
coalesce: Returns the first non-null value from a list of expressions. Use coalesce when you want to fall back from null rather than branch on a condition.

Introduction

APL

MPL

​Introduction

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related functions

Introduction

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related functions