Tests if a specific substring is present within a given string. It takes two arguments: string and substring, both of which can be provided as plain text, field values, or results of an expression.

Similar to the test() function, text:contains() returns the events where the condition is met. The function can be negated to find the events, where the substring is not found in the main string.

ParameterTypeRequiredDefaultDescription
string[a]expressionrequired  The main string where the search is performed.
substringexpressionrequired  The string that is searched for in the main string.

[a] The argument name string can be omitted.

Omitted Argument Names

The argument name for string can be omitted; the following forms of this function are equivalent:

logscale
text:contains("value",substring="value")

and:

logscale
text:contains(string="value",substring="value")

These examples show basic structure only; full examples are provided below.

  • logscale
    text:contains(string=name,substring="download")

    name is the name of a field and download is the string, and that would be equivalent to:

    logscale
    name = /download/
  • logscale
    text:contains("foobar", substring="oba")

    is true (oba does exist in the string)

    logscale
    text:contains("foobar", substring="abo")

    is false (abo does not exist in the string)

  • Check two fields, e.g. thread and class:

    logscale
    text:contains(thread, substring="bucket")
|text:contains(class,substring="Storage")
|groupBy([thread,class])

    Which will produce the following output:

    Field threadField classCount
    bucket-clean-obsoletes-s3c.h.b.BucketStorageCleaningJob432
    bucket-entity-configc.h.b.BucketStorageEntityConfigLogger48
    bucket-storage-prefetchc.h.b.BucketStoragePrefetchJob1436
    bucket-storage-transfer-schedulerc.h.b.BucketStorageUploadJob2666
    bucket-storage-uploadc.h.b.BucketStorageUploadJob1333
    delete-bucket-segmentsc.h.b.BucketStorageDeleteObsoleteSegmentsJob2574