Find Matches in Array Given a Regular Expression - Example 1

Use regular expressions to search for and match specific patterns in flat arrays

Query

logscale
array:regex("incidents[]", regex="^Cozy Bear.*")
| groupBy(host)

Introduction

A regular expression is a form of advanced searching that looks for specific patterns, as opposed to certain terms and phrases. You can use a regular expression to find all matches in an array.

In this example, the regular expression is used to search for patterns where the value Cozy Bear appears in a certain position across arrays.

Example incoming data might look like this:

hostincidents[0]incidents[1]incidents[2]
v1Evil BearCozy Bear 
v15Fancy FlyTiny CatCozy Bears
v22Fancy FlyTiny CatCold Bears
v4Fancy FlyTiny CatCozy Bearskins
v1Evil BearCozy Bears 

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[[Array Manipulation]] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    array:regex("incidents[]", regex="^Cozy Bear.*")

    Searches in the incidents array for values that only start with Cozy Bear. Find all matches given that regular expression.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[[Array Manipulation]] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupBy(host)

    Groups the returned results by host.

  4. Event Result set.

Summary and Results

The query using the regex expression are used to quickly search and return results for specific values in arrays. Regular expressions are useful when searching for different strings containing the same patterns; such as social security numbers, URLs, email addresses, and other strings that follow a specific pattern.

Sample output from the incoming example data:

host_count
v12
v151
v41