Checks whether the given pattern matches any of the values of the array and excludes the event from the search result if it does not match on any value.
Function Traits: Filter, Negatable
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array[a] | string | required | A string in the format of a valid array index []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[] . | |
flags | string | optional | The regex modifier flags to use. | |
| Valid Values | d | Period (.) also includes newline characters | ||
i | Ignore case for matched values | |||
m | Multi-line parsing of regular expressions | |||
regex | string | required | The regex pattern for the value on which to search the array. | |
The parameter name for array can be omitted; the following forms are equivalent:
array:regex("value")and:
array:regex(array="value")A specific syntax applies for this query function, see Array Syntax for details.
array:regex() Examples
Given events containing an 'incidents' array:
Event 1
|--------------|-------------|
| host | v1 |
| incidents[0] | Evil Bear |
| incidents[1] | Cozy Bear |
|--------------|-------------|Event 2
|--------------|-------------|
| host | v15 |
| incidents[0] | Fancy Fly |
| incidents[1] | Tiny Cat |
| incidents[2] | Cozy Bears |
|--------------|-------------|
Find all the events where the
incidents field matches the
value Cozy Bear using a regular
expression, grouping them by which hosts were affected:
array:regex("incidents[]", regex="^Cozy Bear$")
| groupBy(host)Giving the output event:
|--------------|-------------|
| host | v1 |
| _count | 1 |
|--------------|-------------|
Given events containing a
responses array, find all events
where responses regex entries ending with
bear,
BeAr,
bEAR, and so on.
array:regex("responses[]", regex="bear$", flags="i")