Checks whether the given pattern matches any of the values of the array and excludes the event from the search result if it does not match on any value.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array | string | true | A string in the format of a valid array index []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. E.g., for events with fields incidents[0], incidents[1], ... this would be "incidents[]". [a] | |
flags | string | false | The regex flags to use: i for case-insensitive match; m for multi-line matching; and d makes . include newlines. | |
regex | string | true | The regex pattern for the value on which to search the array. | |
A specific syntax applies for this query function, see Array Syntax for details.
Examples
Given events containing an 'incidents' array:
Event 1
logscale
|--------------|-------------|
| host | v1 |
| incidents[0] | Evil Bear |
| incidents[1] | Cozy Bear |
|--------------|-------------|Event 2
logscale
|--------------|-------------|
| host | v15 |
| incidents[0] | Fancy Fly |
| incidents[1] | Tiny Cat |
| incidents[2] | Cozy Bears |
|--------------|-------------|
Find all the events where incidents regex the exact
value Cozy Bear and group them by
which hosts were affected, giving the output event:
logscale
|--------------|-------------|
| host | v1 |
| _count | 1 |
|--------------|-------------|logscale
array:regex("incidents[]", regex="^Cozy Bear$") |
groupBy(host)
Given events containing a responses array, find all
events where responses regex entries ending with
bear,
BeAr,
bEAR, and so on.
logscale
array:regex("responses[]", regex="bear$", flags="i")