Checks whether the given pattern matches any of the values of the array and excludes the event from the search result if it does not match on any value.
Note
To ensure compatibilty, it is recommended to always test your regular expressions inside LogScale, instead of a 3rd party regex tool.
| Parameter | Type | Required | Default Value | Description | |
|---|---|---|---|---|---|
array[a] | string | required | A string in the format of a valid array index []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[] . | ||
flags | string | optional[b] | The regex modifier flags to use. | ||
| Valid Values | |||||
| Empty String | ||||
d | Period (.) also includes newline characters | ||||
i | Ignore case for matched values | ||||
m | Multi-line parsing of regular expressions | ||||
regex | regex | required | The regex pattern for the value on which to search the array. | ||
[b] Optional parameters use their default value unless explicitly set. | |||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscalearray:regex("value[]",regex="value")and:
logscalearray:regex(array="value[]",regex="value")These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale!array:regex()Or:
logscalenot array:regex()For more information, see Negating the Result of Filter Functions.
A specific syntax applies for this query function, see Array Syntax for details.
array:regex() Examples
Find Matches in Array Given a Regular Expression - Example 1
Use regular expressions to search for and match specific patterns in flat arrays
Query
array:regex("incidents[]", regex="^Cozy Bear.*")
| groupBy(host)Introduction
A regular expression is a form of advanced searching that looks
for specific patterns, as opposed to certain terms and phrases.
You can use a regular expression to find all matches in an
array. In this example, the regular expression is used to search
for patterns where the value Cozy Bear
appears in a certain position across arrays.
Example incoming data might look like this:
| host | incidents[0] | incidents[1] | incidents[2] |
|---|---|---|---|
| v1 | Evil Bear | Cozy Bear | |
| v15 | Fancy Fly | Tiny Cat | Cozy Bears |
| v22 | Fancy Fly | Tiny Cat | Cold Bears |
| v4 | Fancy Fly | Tiny Cat | Cozy Bearskins |
| v1 | Evil Bear | Cozy Bears |
Step-by-Step
Starting with the source repository events.
- logscale
array:regex("incidents[]", regex="^Cozy Bear.*")Searches in the incidents array for values that only start with
Cozy Bear. Find all matches given that regular expression. - logscale
| groupBy(host)Groups the returned results by host.
Event Result set.
Summary and Results
The query using the regex expression are used to quickly search and return results for specific values in arrays. Regular expressions are useful when searching for different strings containing the same patterns; such as social security numbers, URLs, email addresses, and other strings that follow a specific pattern.
Sample output from the incoming example data:
| host | _count |
|---|---|
| v1 | 2 |
| v15 | 1 |
| v4 | 1 |
Find Matches in Array Given a Regular Expression - Example 2
Use regular expressions to search for and match specific patterns ignoring case in flat arrays
Query
array:regex("responses[]", regex="bear$", flags="i")Introduction
A regular expression is a form of advanced searching that looks
for specific patterns, as opposed to certain terms and phrases.
You can use a regular expression to find all matches in an array.
In this example, the regular expression is used to search for
patterns where the value bear appears at the
end of a value in an array element, ignoring the case.
Step-by-Step
Starting with the source repository events.
- logscale
array:regex("responses[]", regex="bear$", flags="i")Searches in the responses array for values that begins with
bear, ignoring the case (due to theiflag). Event Result set.
Summary and Results
The queries using the regex expression are used to quickly search and return results for specific values in arrays. Regular expressions are useful when searching for different strings containing the same patterns; such as social security numbers, URLs, email addresses, and other strings that follow a specific pattern.