Skip to main content
Sumo Logic

matches

The matches operator can be used to match a string to a wildcard pattern, such as "*iPhone*error". The return of the operator is boolean; the operator can be used with where or if expressions.

Matches operators can be used in Dashboard Panels, and are very commonly used in conjunction with other operators to build robust queries.

Syntax:

  • ... [string expression] matches [pattern] ...
  • ... if [string expression] matches [pattern] ...
  • ... where [string expression] matches [pattern]...
  • ... !([string expression] matches [pattern])...

Rules:

  • The matches operator does not support regular expressions.

Examples:

Identifying the browsers and operating systems used to access your website.

Running a query containing a matches operator on Apache Access logs can show you the breakdown of the devices and browsers that are accessing your site. You can then create a Dashboard with this query. We've used a transpose operator in this query to allow us to name the axis of our column chart.

Running a search like:

_sourceCategory=Apache/Access
| extract "\"[A-Z]+ \S+ HTTP/[\d\.]+\" \S+ \S+ \S+ \"(?<agent>[^\"]+?)\""
| if (agent matches "*Windows NT*","Windows","Other") as OS
| if (agent matches "*Macintosh*","MacOS",OS) as OS
| if (agent matches "*iPad*","iPad",OS) as OS
| if (agent matches "*iPhone*","iPhone",OS) as OS
| if (agent matches "*Android*","Android",OS) as OS
| if (agent matches "*MSIE*","Internet Explorer","Other") as Browser
| if (agent matches "*Firefox*","Firefox",Browser) as Browser
| if (agent matches "*Safari*","Safari",Browser) as Browser
| if (agent matches "*Chrome*","Chrome",Browser) as Browser
| count(agent) by OS,Browser
| transpose row os column browser as *

Produces aggregate results similar to the following, when you configure it to create a stacked column chart:

Matches

Viewing errors and warnings over time.

In this example, we'll run a query against Windows logs to see the distribution of errors and warnings over the previous hours. Using a timeslice operator in the query breaks the results into one-hour buckets.

Running a search like:

_sourceCategory=OS/Windows (error or warning)
| parse "Type = \"*\";" as evtType
| if (_raw matches "*EventType = Error*",1,0) as errors
| if (_raw matches "*EventType = Warning*",1,0) as warnings
| if (evtType matches "Error*",1,errors) as errors
| if (evtType matches "Warning*",1,warnings) as warnings
| timeslice by 1h
| sum(errors) as errors, sum(warnings) as warnings by _timeslice
| sort _timeslice asc

Produces results similar to the following, when you configure it to be visualized as a line chart:

Matches Event