Filter Hostnames Beginning With Specific Prefix

Match server names that begin with a specific prefix using the text:startsWith() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result
logscale
text:startsWith(string=hostname, substring="web-")

Introduction

The text:startsWith() function can be used to filter events by checking if a field value begins with a specified substring. It includes events when there is a match and excludes events otherwise.

In this example, the text:startsWith() function is used to filter events where the hostname begins with web-, a common prefix for web servers.

Example incoming data might look like this:

@timestamphostnamestatusregion
2023-06-06T10:00:00Zweb-server-01runningus-east
2023-06-06T10:00:01Zwebapp-prod-02stoppedus-west
2023-06-06T10:00:02Zdb-server-03runningeu-west
2023-06-06T10:00:03Zweb-prod-04runningus-east
2023-06-06T10:00:04Zapp-server-05stoppedeu-west
2023-06-06T10:00:05Zweb-test-06runningus-west

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    text:startsWith(string=hostname, substring="web-")

    Filters events where the value in the hostname field starts with web-.

    The string parameter specifies the field to check, and the substring parameter defines the prefix to match. The function performs a case-sensitive comparison.

  3. Event Result set.

Summary and Results

The query is used to filter events based on server naming conventions, specifically identifying web-related servers.

This query is useful, for example, to monitor specific server types in your infrastructure, analyze events from web servers, or filter logs based on standardized naming patterns.

Sample output from the incoming example data:

@timestamphostnamestatusregion
2023-06-06T10:00:00Zweb-server-01runningus-east
2023-06-06T10:00:03Zweb-prod-04runningus-east
2023-06-06T10:00:05Zweb-test-06runningus-west

Note that only events where hostname begins with web- are included in the results. The match is case-sensitive, so hostnames starting with WEB- would not be included.