I had a situation where it was much better to have an “if-else” kind of a statement within a pipeline rule, rather than creating multiple pipeline rules to accomplish the same thing. It took some experimentation, but I got this trick to work, so I thought I’d share it with the community!
In my situation, I was using a regex() function to get three values, one of which could exist in two locations within the regex’d string. Using capture groups in the regex() function, I extracted the four possibilities (two always-present fields, and one for each position where the other field would be), and then created a Map to be used in conjunction with the is_not_null() function (the is_null() function would also work, but in my case it was more logical as a human to read it with is_not_null()). Here’s the resulting code:
let findings = regex("<regex_str>", to_string($message.message), ["name_before", "ip", "port", "name_after"]);
let fields = concat("true=", to_string(findings.name_before));
let fields = concat(to_string(fields), " false=");
let fields = concat(to_string(fields), to_string(findings.name_after));
let names = key_value(fields);
let name = names.to_string(is_not_null(findings.name_before));
set_field("ovpn_user", name);
And a little bit of simplification…
let findings = regex("<regex_str>", to_string($message.message), ["name_before", "ip", "port", "name_after"]);
let names = key_value(concat(concat(concat("true=", to_string(findings.name_before)), " false="), to_string(findings.name_after)));
set_field("ovpn_user", names.to_string(is_not_null(findings.name_before)));
Hopefully this if/else trick can help someone else!