matchsig

Checks whether the string value of a field is included in the specified pattern group, and filters records based on the match result.

Command properties

Syntax

Options

guid=STR

GUID of the pattern group to use for matching.

field=STR

Name of the string field to match against the pattern group.

invert=BOOL

When set to t, outputs only records that do not match the pattern group. (Default: f)

verify=BOOL

When set to f, skips pattern group validation at the parse stage. (Default: t)

Input fields

Error codes

Parse errors

Runtime errors

None

Description

The matchsig command checks whether the string value of the specified field in input records matches the patterns defined in the pattern group. Only matching records are output. When invert=t is specified, only non-matching records are output.

If the field value is null, the record is treated as non-matching. Non-null values are converted to strings before pattern matching.

In a distributed environment, filtering runs on the Data Node.

Examples

1. Filter using a pattern group

   json "[{'line': 'GET /login HTTP/1.1'}, {'line': 'POST /api/data HTTP/1.1'}, {'line': 'hello world'}]"
   | matchsig guid=550e8400-e29b-41d4-a716-446655440000 field=line
   

   Outputs only records where the line field value matches the specified pattern group.

2. Extract records not matching a pattern group

   json "[{'line': 'GET /login HTTP/1.1'}, {'line': 'POST /api/data HTTP/1.1'}, {'line': 'hello world'}]"
   | matchsig guid=550e8400-e29b-41d4-a716-446655440000 field=line invert=t
   

   Uses the invert=t option to output only records that do not match the pattern group.