Tests if a specific substring is present within a given string.
It takes two arguments:
string and
substring,
both of which can be provided as plain text, field values, or
results of an expression.
Similar to the test() function,
text:contains() returns the events where
the condition is met. The function can be negated to find the
events, where the substring is not found in the main string.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
stringcan be omitted; the following forms of this function are equivalent:logscale Syntaxtext:contains("value",substring="value")and:
logscale Syntaxtext:contains(string="value",substring="value")These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale Syntax!text:contains()Or:
logscale Syntaxnot text:contains()For more information, see Negating the Result of Filter Functions.
text:contains() Syntax Examples
- logscale
text:contains(string=name,substring="download")name is the name of a field and
downloadis the string, and that would be equivalent to:logscalename = /download/ - logscale
text:contains("foobar", substring="oba")is true (
obadoes exist in the string)logscaletext:contains("foobar", substring="abo")is false (
abodoes not exist in the string) Check two fields, for example, thread and class:
logscaletext:contains(thread, substring="bucket") | text:contains(class,substring="Storage") | groupBy([thread,class])which will produce the following output:
Field thread Field class Count bucket-clean-obsoletes-s3 c.h.b.BucketStorageCleaningJob 432 bucket-entity-config c.h.b.BucketStorageEntityConfigLogger 48 bucket-storage-download c.h.b.BucketStorageDownloadJobImpl 8155 bucket-storage-prefetch c.h.b.BucketStoragePrefetchJob 1436 bucket-storage-transfer-scheduler c.h.b.BucketStorageUploadJob 2666 bucket-storage-upload c.h.b.BucketStorageUploadJob 1333 delete-bucket-segments c.h.b.BucketStorageDeleteObsoleteSegmentsJob 2574 As in the previous example, check and count the fields thread and class, but exclude the
downloadsubstring in the field thread. This can be done by negating the function, as in the following query:logscaletext:contains(thread, substring="bucket") | text:contains(class,substring="Storage") | !text:contains(thread, substring="download") | groupBy([thread,class])which will produce this result:
Field thread Field class Count bucket-clean-obsoletes-s3 c.h.b.BucketStorageCleaningJob 432 bucket-entity-config c.h.b.BucketStorageEntityConfigLogger 48 bucket-storage-prefetch c.h.b.BucketStoragePrefetchJob 1436 bucket-storage-transfer-scheduler c.h.b.BucketStorageUploadJob 2666 bucket-storage-upload c.h.b.BucketStorageUploadJob 1333 delete-bucket-segments c.h.b.BucketStorageDeleteObsoleteSegmentsJob 2574