match()

This command is experimental

Definition

match() returns results that match with the regex search in the function. It’s used as a part of evaluation, but also with stats and where commands.

Examples

The JSON dataset following examples use is called join_json_one. You can replace it with your dataset’s name.

After extracting the JSON content, the dataset consists of the following fields:

| _time                         | success | count | operation | user   | target |
| ----------------------------- | ------- | ----- | --------- | ------ | ------ |
| 2021-12-30T20:17:47.000+02:00 | true    | 10    | spy       | Carlos | Daniel |
| 2021-12-26T20:17:30.000+02:00 | false   | 0     | spy       | Alice  | Erin   |
| 2021-12-26T19:18:51.000+02:00 | true    | 20    | defend    | Alice  | Bob    |

match() as a part of evaluation

You can use match() with eval and other evaluation commands.

In the following example, the query searches all spy operations. It also creates a new column called spy_operations. If a row matches with the query’s criteria, it adds "yes" in the spy_operations column. If it doesn’t match with the criteria, it adds "no".

%dpl
index=join_json_one earliest="01/01/2021:00:00:00"
| spath
| eval spy_operations=if(match(operation, "spy"), "yes", "no")

example of match() in evaluation

Searching from _raw with match() gives an error. This will be fixed before the community release.

Stats and searchmatch()

stats doesn’t yet support match().

Where and searchmatch()

match can be used with where command.

In the following example, the query searches spy operations from the dataset. You also can get the same result by only using where.

%dpl
index=join_json_one earliest="01/01/2021:00:00:00"
| spath
| where match(operation, "spy")

example of math() with where command

Searching from _raw with match() gives an error. This will be fixed before the community release.