Performs a wildcard pattern search with optional case insensitivity.
The primary purpose is to make it easier to do case insensitive searching across fields and events using a wildcard pattern instead of a regular expression. This is especially useful for users unfamiliar with regular expressions.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
field | array of strings | optional[a] | Determines which fields the pattern should search in. When no fields are given, all fields of the original, unmodified event will be searched. | |
ignoreCase | boolean | optional[a] | false | Allows for case-insensitive searching. |
pattern[b] | string | required | Wildcard (glob) pattern to search for. | |
[a] Optional parameters use their default value unless explicitly set. [b] The argument name | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
patterncan be omitted; the following forms of this function are equivalent:logscalewildcard("value")and:
logscalewildcard(pattern="value")These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale!wildcard()Or:
logscalenot wildcard()For more information, see Negating the Result of Filter Functions.
Depending on the field and
ignoreCase arguments, the
wildcard() behavior can vary:
Whenever
ignoreCaseistrue:the search will be case-insensitive; for example, if the given pattern is
*http*then this will match any upper/lower-case combination of HTTP.the search is equivalent to a case-insensitive regex, either on the given fields, or as an unanchored freetext regex that searches the entire, original, unmodified event — see the example below Search Fields Through a Given Pattern - Example 5.
Whenever
ignoreCaseisfalse, the search is equivalent to a wildcard-search, either on the given fields, or as an unanchored, freetext search on the entire, original, unmodified event.
To sum up:
Table: wildcard() behavior
ignoreCase Parameter
|
field is [] or not specified
|
field is specified as [field1, field2, …, ]
|
|---|---|---|
|
|
*<pattern>*
|
field1=<pattern> OR field2=<pattern>
OR …
|
|
|
/<patternAsRegex>/i
|
field1=/<patternAsRegex>/i OR
field2=/<patternAsRegex>/i OR …(as
unanchored regexes)
|
Note
For performance reasons, only set ignoreCase to
true if necessary; the case-insensitive search might be up
to 2x slower than having this parameter set to false
— depending on the search pattern and the data.
The following query:
wildcard(field=myField, pattern="*foobar*")can be written as:
myField =~ wildcard("*foobar*")
This is because pattern is the implicit parameter,
and parameters named field can be used with the
=~ shorthand syntax in general in the query
language.
wildcard(...) can be negated by using not
wildcard(...), this finds all events that did not match the given
pattern.
wildcard() Examples
Find Fields With Data in Class
Introduction
Find all events containing any Data string in their
class, and count the occurrences for each
class that is found. For example, it can be used to get a list of
events that have items such as DataIngestRateMonitor, or
LocalDatasource.
Step-by-Step
Starting with the source repository events.
- logscale
wildcard(field=class,pattern="*Data*")Searches the incoming data to list all events having Data (and everything around it) in their string.
- logscale
| groupBy(class)Takes the events extracted from the search and groups them by the class field.
Event Result set.
Summary and Results
The result is an aggregated count of all events matching
anything with Data (with one or more characters
before or after), in the class field.
| class | _count |
|---|---|
| c.h.c.c.ChatterDataMemoryStatusLoggerJob$ | 283 |
| c.h.d.DataIngestRateMonitor$ | 7504 |
| c.h.d.LocalDatasource$ | 10352 |
| c.h.d.q.EmptyIdleDatasourcesCleaner | 3 |
| c.h.e.e.Datasource$ | 3947 |
| c.h.e.e.Datasources$ | 4 |
| c.h.e.f.DataSnapshotOps$ | 662 |
| c.h.e.f.DataWithGlobal | 7254 |
| c.h.j.CleanupDatasourceFilesJob | 141 |
| c.h.j.DataSyncJobImpl$ | 46594 |
| c.h.j.DatasourceRehashingJob$ | 32 |
| c.h.k.ChatterDataDistributionKafka$ | 107 |
Find Fields With S3Bucket in Class
Query
Search Repository: humio
wildcard(field=class, pattern="*S3Bucket*", ignoreCase=true)
| groupBy(class)Introduction
Find all events containing any S3Bucket item (and all
before and after) in their class, and count
the occurrences for each class that is found.
Step-by-Step
Starting with the source repository events.
- logscale
wildcard(field=class, pattern="*S3Bucket*", ignoreCase=true)Searches the incoming data to list all events having S3Bucket (or everything around it, case-insensitive) in their string.
- logscale
| groupBy(class)Takes the events extracted from the search and group them by the class field.
Event Result set.
Summary and Results
The result is an aggregated count of all events matching
anything with S3Bucket, case-insensitive, in the
class field.
| class | _count |
|---|---|
| c.h.b.s.S3BucketStorageCleaningJob | 197 |
| c.h.b.s.S3BucketStorageFileUpLoader | 2329 |
| c.h.b.s.S3BucketStorageUploadJob | 3869 |
Search Fields Through a Given Pattern - Example 1
Query
wildcard(field=animal, pattern=horse, ignoreCase=false)Introduction
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Finds events where the field
animal contains the
exact value horse , and makes it case-sensitive.
Step-by-Step
Starting with the source repository events.
- logscale
wildcard(field=animal, pattern=horse, ignoreCase=false)Searches elements in the field animal that match
horse. Event Result set.
Summary and Results
The result is a list of events where field
animal has the exact
value horse.
The query used is equivalent to animal="horse" .
Search Fields Through a Given Pattern - Example 2
Query
wildcard(field=animal, pattern=horse, ignoreCase=true)Introduction
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Finds events where the field
animal contains the
value horse, and makes it
case-insensitive.
Step-by-Step
Starting with the source repository events.
- logscale
wildcard(field=animal, pattern=horse, ignoreCase=true)Searches elements in the field animal that match
horse, case-insensitive. Event Result set.
Summary and Results
The result is a list of events where field
animal contains any
capitalization of horse
(HORSE,
hOrsE,
Horse, etc.).
The query used is equivalent to
animal=/\Ahorse\z/i.
Note that it is anchored.
Search Fields Through a Given Pattern - Example 3
Query
wildcard(field=animal, pattern=*h*rse*, ignoreCase=true)Introduction
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|Finds events where field animal matches the given pattern, and it's case-insensitive:
Step-by-Step
Starting with the source repository events.
- logscale
wildcard(field=animal, pattern=*h*rse*, ignoreCase=true)Searches elements in the field animal that match
*h*rse*. Event Result set.
Summary and Results
The result is a list of the following accepted events:
| animal |
| horse |
| Horse |
| HORSES |
| crazy hOrSe |
| dancing with horses |
| hooorse |
The query used is equivalent to:
animal=/h.*rse/i .
Note that it is unanchored.
Search Fields Through a Given Pattern - Example 4
Query
wildcard(pattern=horse, ignoreCase=false)Introduction
Given the following events:
|--------------|------------------------|
| animal | horse |
| mammal | Horse |
| mammal | wild horses |
| animal | human |
| mammal | HORSES |
| animal | duck |
| mammal | dog |
| animal | dancing with horses |
|--------------|------------------------|
Find events that contain
horse in any field,
case-sensitive:
Step-by-Step
Starting with the source repository events.
- logscale
wildcard(pattern=horse, ignoreCase=false)Searches the original, unmodified event for the string
horse. Event Result set.
Summary and Results
The result accepts the events with
horse,
wild horses and
dancing with horses. This query
is equivalent to the freetext search
"horse" .
Search Fields Through a Given Pattern - Example 5
Query
wildcard(pattern=horse, ignoreCase=true)Introduction
Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Finds events that contain
horse, case-insensitive:
Step-by-Step
Starting with the source repository events.
- logscale
wildcard(pattern=horse, ignoreCase=true)Searches the original, unmodified event for the string
horse, case-insensitive. Event Result set.
Summary and Results
The result is a list of the following accepted events:
| animal |
| horse |
| Horse |
| HORSES |
| crazy hOrSe |
| dancing with horses |
This query is equivalent to the freetext regex
/horse/i .