This query function may be used to select events in which the given field contains particular values. For instance, you might want to monitor events in which log messages contain error, warning, or other similar words in log entries, or perhaps particular numeric values in other fields.

Although this query function allows for only two parameters, it's very useful and versatile. For the first parameter, you would specify the field on which to filter data. The second parameter would the string or multiple strings on which to match the contents of the field.

fieldstringtrue The field on which to filter events. [a]
values[string]true The values on which to match the field. Only one match is required. Values can contain wildcards (i.e., *).

[a] When you provide only one parameter, the implied parameter is field


Suppose you have a repository which is ingesting data from a few web servers. And suppose that you want to get a list of events in which the user received the HTTP code 404, for web pages "Not Found". You could do that easily with this query:

statuscode = 404

As this suggests, the field on which to check is statuscode.

Suppose further that you want to get a list of events in which the user received the HTTP codes 400 and 403, in addition to 404. Those codes represent respectively Bad Request, Forbidden, and Not Found. You could get those events with the in() function like so:

in(statuscode, values=["400","403","404"])

Using the statuscode field for the first parameter, for the second parameter, the three error codes are listed, separated by commas, within an within an array — within square-brackets. Incidentally, if you wanted to include string values instead of numbers, each string value would have to be contained within double-quotes.

The screenshot in Figure 307, “in() Example” below shows how this would look in the LogScale interface.

in() Example

Figure 307. in() Example

There are a few other HTTP codes related to errors besides these three. You could list all of them in the array, or you could add the wildcard (i.e., *) like this:

in(statuscode, values=["4*"])

This will return all events in which the statuscode has a value starting with 4. Notice that even though only one value is given, somewhat, you have to include the square-brackets. Also, notice that since the wildcard is used, the double-quotes is required.

Using the field parameter in addition to the =~ syntax, e.g.:

in(field=loglevel, values=["ERROR", "WARN"])

Negating an in() filters, e.g.:

!in(field=loglevel, values=["ERROR", "WARN"])


loglevel =~ !in(values=["ERROR", "WARN"])