This query function may be used to select events in which the given field contains particular values. For instance, you might want to monitor events in which log messages contain error, warning, or other similar words in log entries, or perhaps particular numeric values in other fields.
Although this query function allows for only two parameters, it's very useful and versatile. For the first parameter, you would specify the field on which to filter data. The second parameter would the string or multiple strings on which to match the contents of the field.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field | string | true | The field on which to filter events. [a] | |
values | [string] | true | The values on which to match the field. Only one match is required. Values can contain wildcards (i.e., *). | |
Examples
Suppose you have a repository which is ingesting data from a few web servers. And suppose that you want to get a list of events in which the user received the HTTP code 404, for web pages "Not Found". You could do that easily with this query:
statuscode = 404
As this suggests, the field on which to check is
statuscode.
Suppose further that you want to get a list of events in which the user
received the HTTP codes 400 and 403, in addition to 404. Those codes
represent respectively Bad Request, Forbidden, and Not Found. You could
get those events with the in() function like so:
in(statuscode, values=["400","403","404"])
Using the statuscode field for the
first parameter, for the second parameter, the three error codes are
listed, separated by commas, within an within an array — within
square-brackets. Incidentally, if you wanted to include string values
instead of numbers, each string value would have to be contained within
double-quotes.
The screenshot in Figure 307, “in() Example” below
shows how this would look in the LogScale interface.
Figure 307. in() Example
There are a few other HTTP codes related to errors besides these three.
You could list all of them in the array, or you could add the wildcard
(i.e., *) like this:
in(statuscode, values=["4*"])
This will return all events in which the
statuscode has a value starting
with 4. Notice that even though only one value is given, somewhat, you
have to include the square-brackets. Also, notice that since the
wildcard is used, the double-quotes is required.
Using the field parameter in addition to the
=~ syntax, e.g.:
in(field=loglevel, values=["ERROR", "WARN"])
Negating an in() filters, e.g.:
!in(field=loglevel, values=["ERROR", "WARN"])and
loglevel =~ !in(values=["ERROR", "WARN"])