Is your feature request related to a problem? Please describe
We sometimes need to combine results from different extract operations because the same data is logged under different field names.
For example, user IDs may appear as user_id, userid, or userId depending on the log source.
Currently, we handle this by chaining format pipes like:
| format if(!result:*) '<field1>' result
This works, but it’s verbose and less intuitive when the goal is simply to say “take the first available value among these fields.”
Additionally, we sometimes want to filter across multiple possible fields at once, e.g., search for "error" in field1, field2, or field3.
Describe the solution you'd like
A more concise and SQL-like syntax such as:
| coalesce(field1, field2, field3) as result
or
| field1 OR field2 OR field3 as result
This would make it easier to normalize results into a single field when different logs use different field names.
It would also be helpful if similar syntax worked inside filters, e.g.:
coalesce(field1, field2, field3):"error"
to search across multiple fields at the same time.
Describe alternatives you've considered
- Chaining format pipes with conditional checks, but this becomes hard to read and maintain.
- Writing separate queries for each field variant, which is inefficient and error-prone.
Additional information
Note: This might actually be two related but distinct features:
- A coalesce-like function for combining fields into one.
- A way to apply filters across multiple possible fields at once.
original discussed in slack: https://app.slack.com/client/TH86JGEEN/C05UNTPAEDN
Is your feature request related to a problem? Please describe
We sometimes need to combine results from different extract operations because the same data is logged under different field names.
For example, user IDs may appear as
user_id,userid, oruserIddepending on the log source.Currently, we handle this by chaining format pipes like:
This works, but it’s verbose and less intuitive when the goal is simply to say “take the first available value among these fields.”
Additionally, we sometimes want to filter across multiple possible fields at once, e.g., search for "error" in field1, field2, or field3.
Describe the solution you'd like
A more concise and SQL-like syntax such as:
or
This would make it easier to normalize results into a single field when different logs use different field names.
It would also be helpful if similar syntax worked inside filters, e.g.:
to search across multiple fields at the same time.
Describe alternatives you've considered
Additional information
Note: This might actually be two related but distinct features:
original discussed in slack: https://app.slack.com/client/TH86JGEEN/C05UNTPAEDN