searchmatch()
| This command is experimental |
Definition
searchmatch() returns results that match with the search string in the function. It’s used as a part of an evaluation, but also with fieldformat, stats and where commands.
Examples
The JSON dataset following examples use is called join_json_one. You can replace it with your dataset’s name.
After extracting the JSON content, the dataset consists of the following fields:
| _time | success | count | operation | user | target |
| ----------------------------- | ------- | ----- | --------- | ------ | ------ |
| 2021-12-30T20:17:47.000+02:00 | true | 10 | spy | Carlos | Daniel |
| 2021-12-26T20:17:30.000+02:00 | false | 0 | spy | Alice | Erin |
| 2021-12-26T19:18:51.000+02:00 | true | 20 | defend | Alice | Bob |searchmatch() as a part of evaluation
You can use searchmatch() with eval and other evaluation commands.
In the following example, the query searches results where the success is set as TRUE. It also creates a new column called operation_status. If a row matches with the query’s criteria, it adds "complete" in the operation_status column. If it doesn’t match with the criteria, it adds "failed".
%dpl
index=join_json_one earliest="01/01/2021:00:00:00"
| spath
| eval operation_status= if(searchmatch("success=true"),"complete","failed")
Searching from _raw with searchmatch() gives an error. This will be fixed before the community release.
|
Where and searchmatch()
searchmatch can be used with where command.
In the following example, the query searches spy operations from the dataset. You also can get the same result by only using where.
%dpl
index=join_json_one earliest="01/01/2021:00:00:00"
| spath
| where searchmatch("operation=spy")
Searching from _raw with searchmatch() gives an error. This will be fixed before the community release.
|