Filtering Query Functions
Filter functions allow you to filter events or event data based on whether the query matches the filter. For example:
logscale
in(name,values=["datasource-count"])
Would return all events where the name field equals datasource-count.
Filter functions can also be negated, i.e. filter the events that do not match the given filter. For example:
logscale
!in(name,values=["datasource-count"])
Would return all events where the name field does not equal datasource-count.
Note
All the functions in the table below are negatable except
sample
.
Table: Filtering Query Functions
Function | Default Argument | Availability | Description |
---|---|---|---|
array:contains(array, value) | array | Checks whether the given value matches any of the values of the array and excludes the event if no value matches | |
array:regex(array, [flags], regex) | array | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result | |
cidr([column], field, [file], [negate], [subnet]) | field | Filters events using CIDR subnets. | |
coalesce([as], expressions, [ignoreEmpty]) | expressions | Selects the value of the first expression from a list of expressions | |
in(field, [ignoreCase], values) | field | Filters records by values where field is in given values. | |
match([column], field, file, [glob], [ignoreCase], [include], [mode], [strict]) | file | Searches text using a CSV or JSON file and can enhance entries. | |
regex([field], [flags], [limit], regex, [repeat], [strict]) | regex | Extracts new fields using a regular expression. | |
sample([field], [percentage]) | percentage | Samples the event stream. | |
selfJoinFilter(field, [prefilter], where) | field | Runs query to determine IDs, and then gets all events containing one of them. | |
test(expression) | expression | Evaluates boolean expression and filters events. |