Performs a wildcard pattern search with optional case insensitivity.
The primary purpose is to make it easier to do case insensitive searching across fields and events using a wildcard pattern instead of a regular expression. This is especially useful for users unfamiliar with regular expressions.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
field | array of strings | optional[a] | Determines which fields the pattern should search in. When no fields are given, all fields of the original, unmodified event will be searched. | |
ignoreCase | boolean | optional[a] | false | Allows for case-insensitive searching. |
pattern [b] | string | required | Wildcard (glob) pattern to search for. | |
[a] Optional parameters use their default value unless explicitly set [b] The argument name |
Omitted Argument NamesThe argument name for
pattern
can be omitted; the following forms of this function are equivalent:logscalewildcard("value")
and:
logscalewildcard(pattern="value")
These examples show basic structure only; full examples are provided below.
Depending on the field
and
ignoreCase
arguments, the
wildcard()
behavior can vary:
Whenever
ignoreCase
istrue
:the search will be case-insensitive; for example, if the given pattern is
*http*
then this will match any upper/lower-case combination of HTTP.the search is equivalent to a case-insensitive regex, either on the given fields, or as an unanchored freetext regex that searches the entire, original, unmodified event — see the example below Searching Fields Through a Given Pattern – Example 5.
Whenever
ignoreCase
isfalse
, the search is equivalent to a wildcard-search, either on the given fields, or as an unanchored, freetext search on the entire, original, unmodified event.
To sum up:
Table: wildcard() behavior
field is [] or not specified
|
field is specified as [field1, field2, …, ]
| |
|
*<pattern>*
|
field1=<pattern> OR field2=<pattern>
OR …
|
|
/<patternAsRegex>/i
|
field1=/<patternAsRegex>/i OR
field2=/<patternAsRegex>/i OR …(as
unanchored regexes)
|
Note
For performance reasons, only set ignoreCase
to
true
if necessary; the case-insensitive search might be up
to 2x slower than having this parameter set to false
— depending on the search pattern and the data.
The following query:
wildcard(field=myField, pattern="*foobar*")
can be written as:
myField =~ wildcard("*foobar*")
This is because pattern
is the implicit parameter,
and parameters named field
can be used with the
=~
shorthand syntax in general in the query
language.
wildcard(...)
can be negated by using not
wildcard(...)
, this finds all events that did not match the given
pattern.
wildcard()
Examples
Finding Fields with Data in Class
Search Repository: humio
wildcard(field=class,pattern="*Data*")
| groupBy(class)
Find all events containing any Data
string in their
class, and count the occurrences for each
class that is found. For example, it can be used to get a list of
events that have items such as DataIngestRateMonitor, or
LocalDatasource.
Starting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search the incoming data to list all events having Data (and everything around it) in their string.
logscalewildcard(field=class,pattern="*Data*")
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
Take the events extracted from the search and group them by the class field.
logscale| groupBy(class)
Event Result set
The result is an aggregated count of all events matching
anything with Data
(with one or more characters
before or after), in the class field.
class | _count |
---|---|
c.h.c.c.ChatterDataMemoryStatusLoggerJob$ | 283 |
c.h.d.DataIngestRateMonitor$ | 7504 |
c.h.d.LocalDatasource$ | 10352 |
c.h.d.q.EmptyIdleDatasourcesCleaner | 3 |
c.h.e.e.Datasource$ | 3947 |
c.h.e.e.Datasources$ | 4 |
c.h.e.f.DataSnapshotOps$ | 662 |
c.h.e.f.DataWithGlobal | 7254 |
c.h.j.CleanupDatasourceFilesJob | 141 |
c.h.j.DataSyncJobImpl$ | 46594 |
c.h.j.DatasourceRehashingJob$ | 32 |
c.h.k.ChatterDataDistributionKafka$ | 107 |
Finding Fields with S3Bucket in Class
Search Repository: humio
wildcard(field=class, pattern="*S3Bucket*", ignoreCase=true)
| groupBy(class)
Find all events containing any S3Bucket
item (and all
before and after) in their class, and count
the occurrences for each class that is found.
Starting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search the incoming data to list all events having S3Bucket (or everything around it, case-insensitive) in their string.
logscalewildcard(field=class, pattern="*S3Bucket*", ignoreCase=true)
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
Take the events extracted from the search and group them by the class field.
logscale| groupBy(class)
Event Result set
The result is an aggregated count of all events matching
anything with S3Bucket
, case-insensitive, in the
class field.
class | _count |
---|---|
c.h.b.s.S3BucketStorageCleaningJob | 197 |
c.h.b.s.S3BucketStorageFileUpLoader | 2329 |
c.h.b.s.S3BucketStorageUploadJob | 3869 |
Searching Fields Through a Given Pattern – Example 1
wildcard(field=animal, pattern=horse, ignoreCase=false)
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events where the field
animal contains the
exact value horse
, and make it case-sensitive.
Starting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match
horse
.logscalewildcard(field=animal, pattern=horse, ignoreCase=false)
Event Result set
The result is a list of events where field
animal has the exact
value horse
.
The query used is equivalent to animal="horse"
.
Searching Fields Through a Given Pattern – Example 2
wildcard(field=animal, pattern=horse, ignoreCase=true)
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events where the field
animal contains the
value horse
, and make it
case-insensitive.
Starting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match
horse
, case-insensitive.logscalewildcard(field=animal, pattern=horse, ignoreCase=true)
Event Result set
The result is a list of events where field
animal contains any
capitalization of horse
(HORSE
,
hOrsE
,
Horse
, etc.).
The query used is equivalent to
animal=/\Ahorse\z/i
.
Note that it is anchored.
Searching Fields Through a Given Pattern – Example 3
wildcard(field=animal, pattern=*h*rse*, ignoreCase=true)
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events where field animal matches the given pattern, and it's case-insensitive:
Step-by-StepStarting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match
*h*rse*
.logscalewildcard(field=animal, pattern=*h*rse*, ignoreCase=true)
Event Result set
The result is a list of the following accepted events:
animal |
---|
horse |
Horse |
HORSES |
crazy hOrSe |
dancing with horses |
hooorse |
The query used is equivalent to:
animal=/h.*rse/i
.
Note that it is unanchored.
Searching Fields Through a Given Pattern – Example 4
wildcard(pattern=horse, ignoreCase=false)
Given the following events:
|--------------|------------------------|
| animal | horse |
| mammal | Horse |
| mammal | wild horses |
| animal | human |
| mammal | HORSES |
| animal | duck |
| mammal | dog |
| animal | dancing with horses |
|--------------|------------------------|
Find events that contain
horse
in any field,
case-sensitive:
Starting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search the original, unmodified event for the string
horse
.logscalewildcard(pattern=horse, ignoreCase=false)
Event Result set
The result accepts the events with
horse
,
wild horses
and
dancing with horses
. This query
is equivalent to the freetext search
"horse"
.
Searching Fields Through a Given Pattern – Example 5
wildcard(pattern=horse, ignoreCase=true)
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events that contain
horse
, case-insensitive:
Starting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search the original, unmodified event for the string
horse
, case-insensitive.logscalewildcard(pattern=horse, ignoreCase=true)
Event Result set
The result is a list of the following accepted events:
animal |
---|
horse |
Horse |
HORSES |
crazy hOrSe |
dancing with horses |
This query is equivalent to the freetext regex
/horse/i
.