Checks whether the given pattern matches any of the values of the array and excludes the event from the search result if it does not match on any value.


To ensure compatibilty, it is recommended to always test your regular expressions inside LogScale, instead of a 3rd party regex tool.

array[a]stringrequired  A string in the format of a valid array index []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[] .
flagsstringoptional[b]  The regex modifier flags to use.
  Valid Values
   Empty String
   dPeriod (.) also includes newline characters
   iIgnore case for matched values
   mMulti-line parsing of regular expressions
regexregexrequired  The regex pattern for the value on which to search the array.

[a] The argument name array can be omitted.

[b] Optional parameters use their default value unless explicitly set

Omitted Argument Names

The argument name for array can be omitted; the following forms of this function are equivalent:




These examples show basic structure only; full examples are provided below.

A specific syntax applies for this query function, see Array Syntax for details.

array:regex() Examples

Given events containing an 'incidents' array:

Event 1

| host         | v1          |
| incidents[0] | Evil Bear   |
| incidents[1] | Cozy Bear   |

Event 2

| host         | v15         |
| incidents[0] | Fancy Fly   |
| incidents[1] | Tiny Cat    |
| incidents[2] | Cozy Bears  |

Find all the events where the incidents field matches the value Cozy Bear using a regular expression, grouping them by which hosts were affected:

array:regex("incidents[]", regex="^Cozy Bear$")
| groupBy(host)

Giving the output event:

| host         | v1          |
| _count       | 1           |

Given events containing a responses array, find all events where responses regex entries ending with bear, BeAr, bEAR, and so on.

array:regex("responses[]", regex="bear$", flags="i")