Filtering Query Functions

Filter functions allow you to filter events based on whether the query matches the filter. For example:

logscale
in(name,values=["datasource-count"])

Would return all events where the name field equals datasource-count.

Filter functions can also be negated, i.e. filter the events that do not match the given filter. For example:

logscale
!in(name,values=["datasource-count"])

Would return all events where the name field does not equal datasource-count.

Note

All the functions in the table below are negatable except sample.

Table: Filtering Query Functions

FunctionImplied ArgumentAvailabilityDescription
array:contains(array, value)arrayintroduced in 1.62Checks whether the given value matches any of the values of the array and excludes the event if no value matches
array:regex(array, [flags], regex)arrayintroduced in 1.62Checks whether the given pattern matches any of the values of the array and excludes the event from the search result
cidr([column], [field], [file], [negate], [subnet])field Filters events using CIDR subnets.
hashMatch([bits], [field], [hash], input, [salt])input Calculates a secure hash of a field and uses it to match events as a filter.
in(field, values)field Filters records by values where field is in given values.
sample([field], [percentage])percentage Samples the event stream.
selfJoinFilter(field, [prefilter], where)field Runs query to determine IDs, and then gets all events containing one of them.
test(expression)expression Evaluates boolean expression and filters events.