Tests if a specific substring is present within a given string. It takes
two arguments: string
and substring
, both of
which can be provided as plain text, field values, or results of an
expression.
Similar to the test()
function,
text:contains()
returns the events where the
condition is met. The function can be negated to find the events, where
the substring is not found in the main string.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
string
can be omitted; the following forms of this function are equivalent:logscale Syntaxtext:contains("value",substring="value")
and:
logscale Syntaxtext:contains(string="value",substring="value")
These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale Syntax!text:contains()
Or:
logscale Syntaxnot text:contains()
For more information, see Negating the Result of Filter Functions.
text:contains()
Examples
- logscale
text:contains(string=name,substring="download")
name is the name of a field and
download
is the string, and that would be equivalent to:logscalename = /download/
- logscale
text:contains("foobar", substring="oba")
is true (
oba
does exist in the string)logscaletext:contains("foobar", substring="abo")
is false (
abo
does not exist in the string) Check two fields, for example, thread and class:
logscaletext:contains(thread, substring="bucket") | text:contains(class,substring="Storage") | groupBy([thread,class])
which will produce the following output:
Field thread Field class Count bucket-clean-obsoletes-s3 c.h.b.BucketStorageCleaningJob 432 bucket-entity-config c.h.b.BucketStorageEntityConfigLogger 48 bucket-storage-download c.h.b.BucketStorageDownloadJobImpl 8155 bucket-storage-prefetch c.h.b.BucketStoragePrefetchJob 1436 bucket-storage-transfer-scheduler c.h.b.BucketStorageUploadJob 2666 bucket-storage-upload c.h.b.BucketStorageUploadJob 1333 delete-bucket-segments c.h.b.BucketStorageDeleteObsoleteSegmentsJob 2574 As in the previous example, check and count the fields thread and class, but exclude the
download
substring in the field thread. This can be done by negating the function, as in the following query:logscaletext:contains(thread, substring="bucket") | text:contains(class,substring="Storage") | !text:contains(thread, substring="download") | groupBy([thread,class])
which will produce this result:
Field thread Field class Count bucket-clean-obsoletes-s3 c.h.b.BucketStorageCleaningJob 432 bucket-entity-config c.h.b.BucketStorageEntityConfigLogger 48 bucket-storage-prefetch c.h.b.BucketStoragePrefetchJob 1436 bucket-storage-transfer-scheduler c.h.b.BucketStorageUploadJob 2666 bucket-storage-upload c.h.b.BucketStorageUploadJob 1333 delete-bucket-segments c.h.b.BucketStorageDeleteObsoleteSegmentsJob 2574