Exclude Servers Beginning With Specific Prefix

Filter out servers that begin with a specific prefix using the text:startsWith() function with negation

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result
logscale
!text:startsWith(string=hostname, substring="web-")

Introduction

The text:startsWith() function can be negated using ! to exclude events where a field value begins with a specified substring.

In this example, the negated text:startsWith() function is used to filter out events where the hostname begins with web-, showing all non-web servers.

Example incoming data might look like this:

@timestamphostnamestatusregion
2023-06-06T10:00:00Zweb-server-01runningus-east
2023-06-06T10:00:01Zwebapp-prod-02stoppedus-west
2023-06-06T10:00:02Zdb-server-03runningeu-west
2023-06-06T10:00:03Zweb-prod-04runningus-east
2023-06-06T10:00:04Zapp-server-05stoppedeu-west
2023-06-06T10:00:05Zweb-test-06runningus-west

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    !text:startsWith(string=hostname, substring="web-")

    Filters events where the value in the hostname field does NOT start with web-.

    The exclamation mark (!) negates the function, inverting the match. The string parameter specifies the field to check, and the substring parameter defines the prefix to exclude. The comparison remains case-sensitive.

  3. Event Result set.

Summary and Results

The query is used to filter events by excluding servers with specific naming conventions, showing all non-web servers.

This query is useful, for example, to monitor all backend infrastructure excluding web servers, analyze events from supporting services, or focus on specific server types by excluding others.

Sample output from the incoming example data:

@timestamphostnamestatusregion
2023-06-06T10:00:01Zwebapp-prod-02stoppedus-west
2023-06-06T10:00:02Zdb-server-03runningeu-west
2023-06-06T10:00:04Zapp-server-05stoppedeu-west

Note that all events where hostname does NOT begin with web- are included in the results. The negation excludes only exact matches of the prefix web-.