This query function performs a wildcard pattern search with optional case insensitivity.
The primary purpose is to make it easier to do case insensitive searching across fields and events using a wildcard pattern instead of a regular expression. This is especially useful for users unfamiliar with regular expressions.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field | array of strings | optional | Determines which fields the pattern should search in. When no fields are given, all fields of the original, unmodified event will be searched. | |
ignoreCase | boolean | optional | false | Allows for case-insensitive searching. |
pattern | string | required | Wildcard (glob) pattern to search for. |
Depending on the field and
ignoreCase arguments, the
wildcard() behavior can vary:
Whenever
ignoreCaseistrue:the search will be case-insensitive; for example, if the given pattern is
*http*then this will match any upper/lower-case combination of HTTP.the search is equivalent to a case-insensitive regex, either on the given fields, or as an unanchored freetext regex that searches the entire, original, unmodified event — see the example below Searching Fields Through a Given Pattern – Example 5.
Whenever
ignoreCaseisfalse, the search is equivalent to a wildcard-search, either on the given fields, or as an unanchored, freetext search on the entire, original, unmodified event.
To sum up:
Table: wildcard() behavior
field is [] or not specified
|
field is specified as [field1, field2, …, ]
| |
|
|
*<pattern>*
|
field1=<pattern> OR field2=<pattern>
OR …
|
|
|
/<patternAsRegex>/i
|
field1=/<patternAsRegex>/i OR
field2=/<patternAsRegex>/i OR …(as unanchored
regexes)
|
Note
For performance reasons, only set ignoreCase to
true if necessary; the case-insensitive search might be up
to 2x slower than having this parameter set to false
— depending on the search pattern and the data.
The following query:
wildcard(field=myField, pattern="*foobar*")can be written as:
myField =~ wildcard("*foobar*")
This is because pattern is the implicit parameter,
and parameters named field can be used with the
=~ shorthand syntax in general in the query
language.
wildcard(...) can be negated by using not
wildcard(...), this finds all events that did not match the given
pattern.
wildcard() Examples
Finding Fields with Data in Class
wildcard(field=class,pattern="*Data*")
|groupBy(class)
Find all events containing any Data string in their
class, and count the occurrences for each
class that is found. For example, it can be used to get a list of
events that have items such as DataIngestRateMonitor, or
LocalDatasource.
Starting with the source repository events
- flowchart LR; repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search the incoming data to list all events having Data (and everything around it) in their string.
logscalewildcard(field=class,pattern="*Data*") - flowchart LR; repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
Take the events extracted from the search and group them by the class field.
logscale|groupBy(class) Event Result set
The result is an aggregated count of all events matching
anything with Data (with one or more characters
before or after), in the class field.
 |
Figure 110. Searching Data with wildcard()
Finding Fields with S3Bucket in Class
wildcard(field=class, pattern="*S3Bucket*", ignoreCase=true)
|groupBy(class)
Find all events containing any S3Bucket item (and all
before and after) in their class, and count
the occurrences for each class that is found.
Starting with the source repository events
- flowchart LR; repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search the incoming data to list all events having S3Bucket (or everything around it, case-insensitive) in their string.
logscalewildcard(field=class, pattern="*S3Bucket*", ignoreCase=true) - flowchart LR; repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
Take the events extracted from the search and group them by the class field.
logscale|groupBy(class) Event Result set
The result is an aggregated count of all events matching
anything with S3Bucket , case-insensitive, in the
class field.
 |
Figure 111. Searching S3Bucket with wildcard()
Searching Fields Through a Given Pattern – Example 1
wildcard(field=animal, pattern=horse, ignoreCase=false)Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events where the field
animal contains the
exact value horse , and make it case-sensitive.
Starting with the source repository events
- flowchart LR; repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match
horse.logscalewildcard(field=animal, pattern=horse, ignoreCase=false) Event Result set
The result is a list of events matching exactly the given
pattern horse .
The query used is equivalent to animal="horse" .
Searching Fields Through a Given Pattern – Example 2
wildcard(field=animal, pattern=horse, ignoreCase=true)Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events where the field
animal contains the
value horse , and make it case-insensitive.
Starting with the source repository events
- flowchart LR; repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match
horse, case-insensitive.logscalewildcard(field=animal, pattern=horse, ignoreCase=true) Event Result set
The result is a list of events matching either
horse or Horse .
The query used is equivalent to
animal=/\Ahorse\z/i.
Note that it is anchored.
Searching Fields Through a Given Pattern – Example 3
wildcard(field=animal, pattern=*h*rse*, ignoreCase=true)Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|Find events where field animal matches the given pattern, and it's case-insensitive:
Step-by-StepStarting with the source repository events
- flowchart LR; repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match
*h*rse*.logscalewildcard(field=animal, pattern=*h*rse*, ignoreCase=true) Event Result set
The result is a list of the following accepted events:
horseHorseHORSEScrazy hOrSedancing with horseshooorse
The query used is equivalent to: animal=/h.*rse/i .
Note that it is unanchored.
Searching Fields Through a Given Pattern – Example 4
wildcard(pattern=horse, ignoreCase=false)Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events that contain horse , case-sensitive:
Starting with the source repository events
- flowchart LR; repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match anything with
horse.logscalewildcard(pattern=horse, ignoreCase=false) Event Result set
The result accepts the events horse and
dancing with horses . This query is equivalent to
the freetext search "horse" .
Searching Fields Through a Given Pattern – Example 5
wildcard(pattern=horse, ignoreCase=true)Given the following events:
|--------------|------------------------|
| animal | horse |
| animal | Horse |
| animal | duck |
| animal | HORSES |
| animal | crazy hOrSe |
| animal | hooorse |
| animal | dancing with horses |
|--------------|------------------------|
Find events that contain horse , case-insensitive:
Starting with the source repository events
- flowchart LR; repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Search elements in the field animal that match anything with
horse, case-insensitive.logscalewildcard(pattern=horse, ignoreCase=true) Event Result set
The result is a list of the following accepted events:
horseHorseHORSEScrazy hOrSedancing with horses.
This query is equivalent to the freetext regex
/horse/i .