Filtering Query Functions
Filter functions allow you to filter events or event data based on whether the query matches the filter. For example:
logscale
in(name,values=["livequery-count"])Returns all events where the name field equals livequery-count.
Filter functions can also be negated, for example, filter the events that do not match the given filter. For example:
logscale
!in(name,values=["livequery-count"])Returns all events where the name field does not equal livequery-count.
Note
All the functions in the Filtering Query Functions
table are negatable except sample().
Table: Filtering Query Functions
| Function | Default Argument | Availability | Description |
|---|---|---|---|
array:contains(array, value) | array | Â | Checks whether the given value matches any of the values of the array and excludes the event if no value matches. |
array:exists(array, condition, [var]) | array | Â |
Filters events based on whether the given array contains an
element that satisfies a given condition (based on the array
argument). Recommended for flat arrays. Does not work on nested
arrays — use objectArray:exists()
instead.
|
array:filter(array, [asArray], function, [var]) | array | Â | Drops entries from the input array using the given filtering function. |
array:regex(array, [flags], regex) | array | Â | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result. |
cidr([column], field, [file], [negate], [subnet]) | field | Â | Filters events using CIDR subnets. |
in(field, [ignoreCase], values) | field | Â | Filters records by values where field is in given values. |
match([column], field, file, [glob], [ignoreCase], [include], [mode], [nrows], [strict]) | file | Â | Searches text using a CSV or JSON file and can enhance entries. |
regex([field], [flags], [limit], regex, [repeat], [strict]) | regex | Â | Extracts new fields using a regular expression. |
sample([field], [percentage]) | percentage | Â | Samples the event stream. |
selfJoinFilter(field, [prefilter], where) | field | Â | Runs query to determine IDs, and then gets all events containing one of them. |
test(expression) | expression | Â | Evaluates boolean expression and filters events. |
text:contains(string, substring) | string | Â | Tests if a specific substring is present within a given string. |
text:endsWith(string, substring) | string | Â | Tests if a specific substring is present at the end of a given string. |
text:startsWith(string, substring) | string | Â | Tests if a specific substring is present at the start of a given string. |
wildcard([field], [ignoreCase], [includeEverythingOnAsterisk], pattern) | pattern | Â | Performs a wildcard pattern search with optional case insensitivity. |