This query function may be used to select events in which the given field contains particular values. For instance, you might want to monitor events in which log messages contain error, warning, or other similar words in log entries, or perhaps particular numeric values in other fields.
Although this query function allows for only three parameters, it's very useful and versatile. For the first parameter, you would specify the field on which to filter data. The second parameter sets whether the search should be case-insensitive. The third parameter would be the string or multiple strings on which to match the contents of the field.
|string||required||The field on which to filter events.|
|string||required||Allows for case-insensitive searching.|
|Array of strings||required|| The values on which to match the field. Only one match is required. Values can contain wildcards (i.e., |
The parameter name for
field can be omitted; the following forms are equivalent:
Suppose you have a repository which is ingesting data from a few web servers. And suppose that you want to get a list of events in which the user received the HTTP code 404, for web pages Not Found. You could do that easily with this query:
status = 404
As this suggests, the field on which to check is status.
Suppose further that you want to get a list of events in which the user
received the HTTP codes 422 and
200. Those codes represent respectively
Unable to be processed, and
Successful. You could get those events with the
in() function like so:
Using the status field for the first parameter; for the second parameter, the two statuses are listed, separated by commas, within an array — within square-brackets. Incidentally, if you wanted to include string values instead of numbers, each string value would have to be contained within double-quotes.
The screenshot in Figure 103, “
in() Example” below
shows how this would look in the LogScale interface.
There are a few other HTTP codes related to errors besides these two.
You could list all of them in the array, or you could add the wildcard
*) like this:
This will return all events in which the status has a value starting with 4. Notice that even though only one value is given, you have to include the square-brackets. Also, notice that since the wildcard is used, the double-quotes is required.
field parameter in addition to the
in(field=loglevel, values=["ERROR", "WARN"])
!in(field=loglevel, values=["ERROR", "WARN"])
loglevel =~ !in(values=["ERROR", "WARN"])