Tests if a specific substring is present within a given string. It takes
two arguments: string
and substring
, both of
which can be provided as plain text, field values, or results of an
expression.
Similar to the test()
function,
text:contains()
returns the events where the
condition is met. The function can be negated to find the events, where
the substring is not found in the main string.
Omitted Argument NamesThe argument name for
string
can be omitted; the following forms of this function are equivalent:logscaletext:contains("value",substring="value")
and:
logscaletext:contains(string="value",substring="value")
These examples show basic structure only; full examples are provided below.
text:contains()
Examples
- logscale
text:contains(string=name,substring="download")
name is the name of a field and
download
is the string, and that would be equivalent to:logscalename = /download/
- logscale
text:contains("foobar", substring="oba")
is true (
oba
does exist in the string)logscaletext:contains("foobar", substring="abo")
is false (
abo
does not exist in the string) Check two fields, e.g. thread and class:
logscaletext:contains(thread, substring="bucket") |text:contains(class,substring="Storage") |groupBy([thread,class])
Which will produce the following output:
Field thread Field class Count bucket-clean-obsoletes-s3 c.h.b.BucketStorageCleaningJob 432 bucket-entity-config c.h.b.BucketStorageEntityConfigLogger 48 bucket-storage-prefetch c.h.b.BucketStoragePrefetchJob 1436 bucket-storage-transfer-scheduler c.h.b.BucketStorageUploadJob 2666 bucket-storage-upload c.h.b.BucketStorageUploadJob 1333 delete-bucket-segments c.h.b.BucketStorageDeleteObsoleteSegmentsJob 2574