Tests if a specific substring is present within a given string. It takes
two arguments: string
and substring, both of
which can be provided as plain text, field values, or results of an
expression.
Similar to the test() function,
text:contains() returns the events where the
condition is met. The function can be negated to find the events, where
the substring is not found in the main string.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
stringcan be omitted; the following forms of this function are equivalent:logscaletext:contains("value",substring="value")and:
logscaletext:contains(string="value",substring="value")These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale!text:contains()Or:
logscalenot text:contains()For more information, see Negating the Result of Filter Functions.
text:contains() Examples
- logscale
text:contains(string=name,substring="download")name is the name of a field and
downloadis the string, and that would be equivalent to:logscalename = /download/ - logscale
text:contains("foobar", substring="oba")is true (
obadoes exist in the string)logscaletext:contains("foobar", substring="abo")is false (
abodoes not exist in the string) Check two fields, e.g. thread and class:
logscaletext:contains(thread, substring="bucket") | text:contains(class,substring="Storage") | groupBy([thread,class])which will produce the following output:
Field thread Field class Count bucket-clean-obsoletes-s3 c.h.b.BucketStorageCleaningJob 432 bucket-entity-config c.h.b.BucketStorageEntityConfigLogger 48 bucket-storage-download c.h.b.BucketStorageDownloadJobImpl 8155 bucket-storage-prefetch c.h.b.BucketStoragePrefetchJob 1436 bucket-storage-transfer-scheduler c.h.b.BucketStorageUploadJob 2666 bucket-storage-upload c.h.b.BucketStorageUploadJob 1333 delete-bucket-segments c.h.b.BucketStorageDeleteObsoleteSegmentsJob 2574 As in the previous example, check and count the fields thread and class, but exclude the
downloadsubstring in the field thread. This can be done by negating the function, as in the following query:logscaletext:contains(thread, substring="bucket") | text:contains(class,substring="Storage") | !text:contains(thread, substring="download") | groupBy([thread,class])which will produce this result:
Field thread Field class Count bucket-clean-obsoletes-s3 c.h.b.BucketStorageCleaningJob 432 bucket-entity-config c.h.b.BucketStorageEntityConfigLogger 48 bucket-storage-prefetch c.h.b.BucketStoragePrefetchJob 1436 bucket-storage-transfer-scheduler c.h.b.BucketStorageUploadJob 2666 bucket-storage-upload c.h.b.BucketStorageUploadJob 1333 delete-bucket-segments c.h.b.BucketStorageDeleteObsoleteSegmentsJob 2574