Case - Elasticsearch

% This is generated by ESQL's AbstractFunctionTestCase. Do not edit it. See ../README.md for how to regenerate it.

Examples

Determine whether employees are monolingual, bilingual, or polyglot:

esql

FROM employees
| EVAL type = CASE(
    languages <= 1, "monolingual",
    languages <= 2, "bilingual",
     "polyglot")
| KEEP emp_no, languages, type

emp_no:integer	languages:integer	type:keyword
10001	2	bilingual
10002	5	polyglot
10003	4	polyglot
10004	5	polyglot
10005	1	monolingual

Calculate the total connection success rate based on log messages:

esql

FROM sample_data
| EVAL successful = CASE(
    STARTS_WITH(message, "Connected to"), 1,
    message == "Connection error", 0
  )
| STATS success_rate = AVG(successful)

success_rate:double
0.5

Calculate an hourly error rate as a percentage of the total number of log messages:

esql

FROM sample_data
| EVAL error = CASE(message LIKE "*error*", 1, 0)
| EVAL hour = DATE_TRUNC(1 hour, @timestamp)
| STATS error_rate = AVG(error) by hour
| SORT hour

error_rate:double	hour:date
0.0	2023-10-23T12:00:00.000Z
0.6	2023-10-23T13:00:00.000Z

Extract error messages and count distinct ones using a column expression:

esql

FROM sample_data
| EVAL error_message = CASE(message LIKE "*error*", message, null)
| STATS distinct_error_messages = COUNT_DISTINCT(error_message)

distinct_error_messages:long
1