if operator and ?

There are two forms of ternary expression you can use in Sumo Logic queries: one is constructed using the IF operator, and the other uses the question mark (?) operator. The syntax varies slightly, but the results are equivalent. You can use the syntax you're most comfortable with.

These expressions are used to evaluate a condition as either true or false, with values assigned for each outcome. It is a shorthand way to express an if-else condition. On the basis of the test, the entire expression returns value_if_true if the condition is true, else value_if_false if the condition is false. The two sub-expressions (value_if_true and value_if_false) must have the same type.

Using the if operator


  • ... | if(condition, value_if_true, value_if_false) as alias_field | ...


  • ... | if(status_code matches "5*", 1, 0) as servererror | ...
  • ... | if(status_code matches "2*", 1, 0) as success | ...

To create nested if statements, your query should use the following syntax:

| if(message matches "*/schedule?*","Alert Scheduled",if(message matches "*/update?*","Alert Updated",if(message matches "*/cancel?*","Alert Canceled","N/A"))) as problem

Using the Question Mark (?) operator


  • ... | alias_field = condition ? value_if_true : value_if_false | ...


  • disk_usage > threshold ? "disk full" : "OK" as status
  • a < b ? a : b      // This is the same as min(a, b)

For information on handling null values, see isNull operator.