Filtering Query Functions

Filter functions allow you to filter events or event data based on whether the query matches the filter. For example:

logscale
in(name,values=["datasource-count"])

Would return all events where the name field equals datasource-count.

Filter functions can also be negated, i.e. filter the events that do not match the given filter. For example:

logscale
!in(name,values=["datasource-count"])

Would return all events where the name field does not equal datasource-count.

Note

All the functions in the table below are negatable except sample.

Table: Filtering Query Functions

FunctionDefault ArgumentAvailabilityDescription
array:contains(array, value)array  Checks whether the given value matches any of the values of the array and excludes the event if no value matches
array:regex(array, [flags], regex)array  Checks whether the given pattern matches any of the values of the array and excludes the event from the search result
cidr([column], field, [file], [negate], [subnet])field  Filters events using CIDR subnets.
coalesce([as], expressions, [ignoreEmpty])expressions  Selects the value of the first expression from a list of expressions
in(field, [ignoreCase], values)field  Filters records by values where field is in given values.
match([column], field, file, [glob], [ignoreCase], [include], [mode], [strict])file  Searches text using a CSV or JSON file and can enhance entries.
regex([field], [flags], [limit], regex, [repeat], [strict])regex  Extracts new fields using a regular expression.
sample([field], [percentage])percentage  Samples the event stream.
selfJoinFilter(field, [prefilter], where)field  Runs query to determine IDs, and then gets all events containing one of them.
test(expression)expression  Evaluates boolean expression and filters events.