Filtering Query Functions
Filter functions allow you to filter events or event data based on whether the query matches the filter. For example:
logscale
in(name,values=["datasource-count"])Would return all events where the name field equals datasource-count.
Filter functions can also be negated, i.e. filter the events that do not match the given filter. For example:
logscale
!in(name,values=["datasource-count"])Would return all events where the name field does not equal datasource-count.
Note
All the functions in the table below are negatable except
sample.
Table: Filtering Query Functions
| Function | Default Argument | Availability | Description |
|---|---|---|---|
array:contains(array, value) | array | Checks whether the given value matches any of the values of the array and excludes the event if no value matches | |
array:regex(array, [flags], regex) | array | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result | |
cidr([column], field, [file], [negate], [subnet]) | field | Filters events using CIDR subnets. | |
hashMatch([bits], [field], [hash], input, [salt]) | input | Calculates a secure hash of a field and uses it to match events as a filter. | |
in(field, ignoreCase, values) | field | Filters records by values where field is in given values. | |
sample([field], [percentage]) | percentage | Samples the event stream. | |
selfJoinFilter(field, [prefilter], where) | field | Runs query to determine IDs, and then gets all events containing one of them. | |
test(expression) | expression | Evaluates boolean expression and filters events. |