Skip to content
Cruncher

contains

contains

✓ Boolean

Check if a string contains a substring as a case-sensitive match

contains(string, substring) → boolean
boolean

true if string contains substring, false otherwise; null if either input is null

Edge Cases

Section titled “Edge Cases”
  • If string is null, returns null
  • If substring is null, returns null
  • Empty substring "" matches any string (returns true)
  • Search is case-sensitive: contains("Error", "error") returns false

Examples

Section titled “Examples”
| where contains(message, "error")

Matches records where the message field contains “error”.

| eval has_timeout = contains(error_message, "timeout")

Creates a boolean field has_timeout that is true if error_message contains “timeout”.

| eval is_json = contains(raw_log, "{")

Detects if raw_log contains JSON (looks for opening brace).

Used In

Section titled “Used In”
  • where — as a filter condition
  • eval — to create a boolean field