Performs a wildcard pattern search with optional case insensitivity.

The primary purpose is to make it easier to do case insensitive searching across fields and events using a wildcard pattern instead of a regular expression. This is especially useful for users unfamiliar with regular expressions.

ParameterTypeRequiredDefault ValueDescription
fieldarray of stringsoptional[a]   Determines which fields the pattern should search in. When no fields are given, all fields of the original, unmodified event will be searched.
ignoreCasebooleanoptional[a] false Allows for case-insensitive searching.
includeEverythingOnAsteriskbooleanoptional[a] false Allows to output all events (even those missing the fields specified in field) if pattern is set to *.
pattern[b]stringrequired   Wildcard (glob) pattern to search for.

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name pattern can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

Hide negatable operation for this function

Show negatable operation for this function

Depending on the field and ignoreCase arguments, the wildcard() behavior can vary:

  • Whenever ignoreCase is true:

    • the search will be case-insensitive; for example, if the given pattern is *http* then this will match any upper/lower-case combination of HTTP.

    • the search is equivalent to a case-insensitive regex, either on the given fields, or as an unanchored freetext regex that searches the entire, original, unmodified event — see the example below Search Fields Through a Given Pattern - Example 5.

  • Whenever ignoreCase is false, the search is equivalent to a wildcard-search, either on the given fields, or as an unanchored, freetext search on the entire, original, unmodified event.

To sum up:

Table: wildcard() behavior

ignoreCase Parameter field is [] or not specified field is specified as [field1, field2, …, ]

ignoreCase = false

*<pattern>* field1=<pattern> OR field2=<pattern> OR …

ignoreCase = true

/<patternAsRegex>/i field1=/<patternAsRegex>/i OR field2=/<patternAsRegex>/i OR …(as unanchored regexes)

The includeEverythingOnAsterisk argument can also affect the wildcard() behavior:

Note

For performance reasons, only set ignoreCase to true if necessary; the case-insensitive search might be up to 2x slower than having this parameter set to false — depending on the search pattern and the data.

The following query:

logscale
wildcard(field=myField, pattern="*foobar*")

can be written as:

logscale
myField =~ wildcard("*foobar*")

This is because pattern is the implicit parameter, and parameters named field can be used with the =~ shorthand syntax in general in the query language.

wildcard(...) can be negated by using not wildcard(...), this finds all events that did not match the given pattern.

Deprecated:Free-text search v1.175.0

Free-text searches after aggregate functions are deprecated starting from version 1.175. Some uses of wildcard(), particularly those that do not specify a field argument, are free-text-searches and therefore deprecated as well.

wildcard() Examples

Click + next to an example below to get the full details.

Find Fields With Data in Class

Find Fields With S3Bucket in Class

Include All Fields with Any Given Pattern

Search Fields Through a Given Pattern - Example 1

Search Fields Through a Given Pattern - Example 2

Search Fields Through a Given Pattern - Example 3

Search Fields Through a Given Pattern - Example 4

Search Fields Through a Given Pattern - Example 5

Search Multiple Fields Through a Given Pattern