Performs a wildcard pattern search with optional case
insensitivity.
The primary purpose is to make it easier to do case insensitive
searching across fields and events using a wildcard pattern
instead of a regular expression. This is especially useful for
users unfamiliar with regular expressions.
the search will be case-insensitive; for example, if
the given pattern is
*http* then this will
match any upper/lower-case combination of HTTP.
the search is equivalent to a case-insensitive regex,
either on the given fields, or as an unanchored
freetext regex that searches the entire, original,
unmodified event — see the example below
Search Fields Through a Given Pattern - Example 5.
Whenever
ignoreCase
is false, the search is equivalent to a
wildcard-search, either on the given fields, or as an
unanchored, freetext search on the entire, original,
unmodified event.
field1=/<patternAsRegex>/i OR field2=/<patternAsRegex>/i OR …(as unanchored regexes)
Note
For performance reasons, only set
ignoreCase to
true if necessary; the
case-insensitive search might be up to 2x slower than having
this parameter set to false
— depending on the search pattern and the data.
The following query:
logscale
wildcard(field=myField,pattern="*foobar*")
can be written as:
logscale
myField=~wildcard("*foobar*")
This is because pattern is the implicit
parameter, and parameters named field can
be used with the =~ shorthand syntax in
general in the query language.
wildcard(...) can be negated by
using not wildcard(...), this
finds all events that did not match the given pattern.
Find all events containing any Data string in their
class, and count the
occurrences for each class that is found. For example, it can be
used to get a list of events that have items such as
DataIngestRateMonitor, or LocalDatasource.
Step-by-Step
Starting with the source repository events.
logscale
wildcard(field=class,pattern="*Data*")
Searches the incoming data to list all events having Data (and
everything around it) in their string.
logscale
|groupBy(class)
Takes the events extracted from the search and groups them by
the class field.
Event Result set.
Summary and Results
The result is an aggregated count of all events matching
anything with Data (with one or more characters
before or after), in the
class field.
Search multiple fields for a value allows you to find events
where the field animal
or plant contains the
exact value horse, and makes it case-sensitive.