The text:startsWith() function compares two
strings and evaluates whether one string begins with another
string.
text:startsWith() takes two arguments:
string and
substring,
both of which can be provided as plain text, field values, or
results of an expression.
Similar to the test() function,
text:startsWith() returns the events where
the condition is met. The function can be negated to find the
events, where the substring is not found in the string.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
string[a] | expression | required | The string in which the starting substring is matched. | |
substring | expression | required | The substring which is matched at the beginning of the corresponding string parameter. It specifies the characters to match at the beginning of the string. | |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
stringcan be omitted; the following forms of this function are equivalent:logscale Syntaxtext:startsWith("value",substring="value")and:
logscale Syntaxtext:startsWith(string="value",substring="value")These examples show basic structure only.
text:startsWith() Syntax Examples
Filter events where a field value starts with a string (having the string as a field and the substring as a value):
This example finds all events where files were accessed in a specific folder.
text:startsWith(string=file, substring="C:\\Windows\System32")If input data was "file=C:\\Windows\\System32","file=C:\\Windows\\System32\Taskmgr.exe","file=C:\\MyDocuments\powerpoint.exe", it would return:
| file |
|---|
| C:\\Windows\\System32 |
| C:\\Windows\\System32\Taskmgr.exe |
Filter events where a field value is the prefix of a string (having the string as a value and the substring as a field):
This example finds all events where folders leading to a specific executable were accessed.
text:startsWith(string="C:\\Windows\System32\taskkill.exe", substring=file)If input data was "file=C:\\Windows\\System32","file=C:\\Windows\\System32\Taskmgr.exe","file=C:\\MyDocuments\powerpoint.exe", it would return:
| file |
|---|
| C:\\Windows\\System32 |
Filter events where a field value does not start with a string (using negation):
This example filters out events where a certain folder was accessed.
!text:startsWith(string=file, substring="C:\\MyDocuments")If input data was "file=C:\\Windows\\System32","file=C:\\Windows\\System32\Taskmgr.exe","file=C:\\MyDocuments\powerpoint.exe", it would return:
| file |
|---|
| C:\\Windows\\System32 |
| C:\\Windows\\System32\Taskmgr.exe |
Filter events where the evaluated value of an expression starts with a given string (having string as an expression):
This example finds all commands attempting to access a certain executable.
text:startsWith(string=lower(commandline), substring="c:\\windows\system32\killtask.exe")If input data was "commandline=C:\\Windows\\System32\KillTask.exe","commandline=C:\\Windows\\System32\killtask.exe","commandline=C:\\MyDocuments\powerpoint.exe", it would return:
| commandline |
|---|
| C:\\Windows\\System32\KillTask.exe |
| C:\\Windows\\System32\killtask.exe |
Note
In expressions, quotation marks always mean a string value, while unquoted field names always mean the value of that field.
To use the value of a field with such a name in an
expression, the function getField() can
be used with the quoted name, like coalesce([host,
getField("host-name")]).
For more information, see Field Names in Expressions.
text:startsWith() Examples
Click next to an example below to get the full details.
Exclude Servers Beginning With Specific Prefix
Filter out servers that begin with a specific prefix using the
text:startsWith() function with negation
Query
!text:startsWith(string=hostname, substring="web-")Introduction
In this example, the negated text:startsWith()
function is used to filter out events where the hostname begins with
web-, showing all non-web servers.
Example incoming data might look like this:
| @timestamp | hostname | status | region |
|---|---|---|---|
| 2023-06-06T10:00:00Z | web-server-01 | running | us-east |
| 2023-06-06T10:00:01Z | webapp-prod-02 | stopped | us-west |
| 2023-06-06T10:00:02Z | db-server-03 | running | eu-west |
| 2023-06-06T10:00:03Z | web-prod-04 | running | us-east |
| 2023-06-06T10:00:04Z | app-server-05 | stopped | eu-west |
| 2023-06-06T10:00:05Z | web-test-06 | running | us-west |
Step-by-Step
Starting with the source repository events.
- logscale
!text:startsWith(string=hostname, substring="web-")Filters events where the value in the hostname field does NOT start with
web-.The exclamation mark (!) negates the function, inverting the match. The
stringparameter specifies the field to check, and thesubstringparameter defines the prefix to exclude. The comparison remains case-sensitive. Event Result set.
Summary and Results
The query is used to filter events by excluding servers with specific naming conventions, showing all non-web servers.
This query is useful, for example, to monitor all backend infrastructure excluding web servers, analyze events from supporting services, or focus on specific server types by excluding others.
Sample output from the incoming example data:
| @timestamp | hostname | status | region |
|---|---|---|---|
| 2023-06-06T10:00:01Z | webapp-prod-02 | stopped | us-west |
| 2023-06-06T10:00:02Z | db-server-03 | running | eu-west |
| 2023-06-06T10:00:04Z | app-server-05 | stopped | eu-west |
Note that all events where hostname does NOT begin
with web- are included in the results. The negation
excludes only exact matches of the prefix web-.
Filter Hostnames Beginning With Specific Prefix
Match server names that begin with a specific prefix using the
text:startsWith() function
Query
text:startsWith(string=hostname, substring="web-")Introduction
In this example, the text:startsWith() function is
used to filter events where the hostname begins with
web-, a common prefix for web servers.
Example incoming data might look like this:
| @timestamp | hostname | status | region |
|---|---|---|---|
| 2023-06-06T10:00:00Z | web-server-01 | running | us-east |
| 2023-06-06T10:00:01Z | webapp-prod-02 | stopped | us-west |
| 2023-06-06T10:00:02Z | db-server-03 | running | eu-west |
| 2023-06-06T10:00:03Z | web-prod-04 | running | us-east |
| 2023-06-06T10:00:04Z | app-server-05 | stopped | eu-west |
| 2023-06-06T10:00:05Z | web-test-06 | running | us-west |
Step-by-Step
Starting with the source repository events.
- logscale
text:startsWith(string=hostname, substring="web-")Filters events where the value in the hostname field starts with
web-.The
stringparameter specifies the field to check, and thesubstringparameter defines the prefix to match. The function performs a case-sensitive comparison. Event Result set.
Summary and Results
The query is used to filter events based on server naming conventions, specifically identifying web-related servers.
This query is useful, for example, to monitor specific server types in your infrastructure, analyze events from web servers, or filter logs based on standardized naming patterns.
Sample output from the incoming example data:
| @timestamp | hostname | status | region |
|---|---|---|---|
| 2023-06-06T10:00:00Z | web-server-01 | running | us-east |
| 2023-06-06T10:00:03Z | web-prod-04 | running | us-east |
| 2023-06-06T10:00:05Z | web-test-06 | running | us-west |
Note that only events where hostname begins with
web- are included in the results. The match is
case-sensitive, so hostnames starting with WEB- would
not be included.