match

match

✓ Boolean

Test if a string matches a regular expression pattern

Signature match(string, pattern) → boolean

Returns

boolean

true if string matches the regex pattern, false otherwise; null if either input is null

The match function returns true if the input string matches the given regular expression pattern, otherwise false.

Edge Cases

• If string is null, returns null
• If pattern is null, returns null
• Pattern uses standard regex syntax (., *, +, ^, $, [...], etc.)
• Match is case-sensitive by default: match("ERROR", "error") returns false

Tip

Use match() to test regex patterns. Use the regex command to extract named groups from the matched pattern.

Examples

| where match(message, `^Error:.*`)

Matches records where message starts with “Error:”.

| eval is_4xx_5xx = match(status_code, `^[45][0-9]{2}$`)

Creates a boolean field that is true if status_code is a 4xx or 5xx HTTP status.

| where match(hostname, `^(prod|staging)-.*`)

Matches hostnames that start with either “prod-” or “staging-”.

| eval is_uuid = match(id, `^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`)

Checks if id looks like a UUID.

Used In

• where — as a filter condition
• eval — to create a boolean field