Tests if a specific substring is present within a given string. It takes two arguments: string and substring, both of which can be provided as plain text, field values, or results of an expression.

Similar to the test() function, text:contains() returns the events where the condition is met. The function can be negated to find the events, where the substring is not found in the main string.

ParameterTypeRequiredDefaultDescription
string[a]expressionrequired  The main string where the search is performed.
substringexpressionrequired  The string that is searched for in the main string.

[a] The argument name string can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

Hide negatable operation for this function

Show negatable operation for this function

  • logscale
    text:contains(string=name,substring="download")

    name is the name of a field and download is the string, and that would be equivalent to:

    logscale
    name = /download/
  • logscale
    text:contains("foobar", substring="oba")

    is true (oba does exist in the string)

    logscale
    text:contains("foobar", substring="abo")

    is false (abo does not exist in the string)

  • Check two fields, e.g. thread and class:

    logscale
    text:contains(thread, substring="bucket")
|text:contains(class,substring="Storage")
|groupBy([thread,class])

    which will produce the following output:

    Field threadField classCount
    bucket-clean-obsoletes-s3c.h.b.BucketStorageCleaningJob432
    bucket-entity-configc.h.b.BucketStorageEntityConfigLogger48
    bucket-storage-downloadc.h.b.BucketStorageDownloadJobImpl8155
    bucket-storage-prefetchc.h.b.BucketStoragePrefetchJob1436
    bucket-storage-transfer-schedulerc.h.b.BucketStorageUploadJob2666
    bucket-storage-uploadc.h.b.BucketStorageUploadJob1333
    delete-bucket-segmentsc.h.b.BucketStorageDeleteObsoleteSegmentsJob2574

  • As in the previous example, check and count the fields thread and class, but exclude the download substring in the field thread. This can be done by negating the function, as in the following query:

    logscale
    text:contains(thread, substring="bucket")
|text:contains(class,substring="Storage")
|!text:contains(thread, substring="download")
|groupBy([thread,class])

    which will produce this result:

    Field threadField classCount
    bucket-clean-obsoletes-s3c.h.b.BucketStorageCleaningJob432
    bucket-entity-configc.h.b.BucketStorageEntityConfigLogger48
    bucket-storage-prefetchc.h.b.BucketStoragePrefetchJob1436
    bucket-storage-transfer-schedulerc.h.b.BucketStorageUploadJob2666
    bucket-storage-uploadc.h.b.BucketStorageUploadJob1333
    delete-bucket-segmentsc.h.b.BucketStorageDeleteObsoleteSegmentsJob2574