Query string syntax

Updated at:
Copy as MD

Query string syntax filters data and simplifies conditional logic in SLS DSL.

Quick reference

Supported functions:

Type

Function

Scenario

Event check function

e_search

Checks whether event field values meet specific conditions.

Resource function

res_log_LogStore_pull

Pulls tabular data from a Logstore. Supports query-string-based whitelists and blacklists for filtering.

res_rds_mysql

Pulls tabular data from RDS MySQL. Supports query-string-based whitelists and blacklists for filtering.

Field search vs. full-text search

Feature comparison:

Feature

Field search

Full-text search

Substring search

Supported

Supported

Wildcard search using *?

Supported

Supported

Exact match search

Supported

Not supported

Regular expression search

Supported

Not supported

Numeric range search

Supported

Not supported

Numeric comparison

Supported

Not supported

Logical operators: and, or, not, and combinations

Supported

Supported

Character escaping

Escape special characters in query strings, such as asterisks (*) and backslashes (\).

  • Field name escaping

    Do not enclose field names in double quotation marks. Escape special characters with a backslash (\):

    • \*\(1+1\)\?: abc: Backslash-escaped special characters.

    • __tag__\:__container_name__: abc: Colon escaped with a backslash.

    • chinese_field: abc: Chinese characters need no escaping.

    • "content": abc: Invalid. Do not enclose field names in double quotation marks.

  • Search value escaping

    • Escape double quotation marks and backslashes within values using a backslash (\). Example: content: "abc\"xy\\z".

      Note

      Use single quotation marks for the outer string and double quotation marks for the inner search value. e_search("domain: '/url/test.jsp'") is incorrect. The correct format is e_search('domain: "/url/test.jsp"').

    • Escape asterisks (*) and question marks (?) with a backslash (\) to prevent wildcard matching.

    • Strings containing only Chinese characters, letters, digits, underscores (_), hyphens (-), asterisks (*), or question marks (?) need no double quotation marks. Otherwise, enclose the string in double quotation marks:

      • status: "\*\?()[]:=": Enclosed in double quotation marks. Only the asterisk (*) and question mark (?) require backslash escaping.

      • content: ()[]:=: Invalid. Must be enclosed in double quotation marks.

      • status: active\*test and status: active\?test: Only the wildcard character needs escaping. No double quotation marks required.

Substring search

  • Full text search

    Search for a substring across all fields.

    • Syntax

      e_search('substring')
    • Examples

      • e_search('"error"'): Substring search.

      • e_search('"active error"'): Substring search with a space in the term.

      • e_search('active error'): Multiple substrings combined with OR by default.

  • Field search

    Search for a substring in a specific field.

    • Syntax

      e_search('...')
    • Examples

      • e_search('status: active'): Substring search.

      • e_search('author: "john smith"'): Substring search with a space in the value.

      Note

      e_search('field: active error') is equivalent to field:active OR "error". This searches for `active` in the field field or performs a full text search for `error`.

Wildcard search

An asterisk (*) matches zero or more characters. A question mark (?) matches exactly one character, including multibyte characters such as Chinese characters.

  • Full text search

    Search for a substring across all fields.

    • Syntax

      e_search('substring')
    • Examples

      • e_search('active*test'): Matches zero or more characters between "active" and "test".

      • e_search('occurs*error'): Matches occurs error, occurs critical error, and similar patterns.

      • e_search('active?good'): Matches exactly one character between "active" and "good".

      • e_search('ac*tive?good'): Combines both wildcards.

      • e_search('ac*tive??go*od'): Multiple wildcards in one query.

  • Field search

    Search for a substring in a specific field.

    • Syntax

      e_search('field_name:substring')
    • Examples

      • e_search('status: active*test'): Matches zero or more characters.

      • e_search('status: active?good'): Matches a single character.

Exact match

Exact match requires the entire field value to match from start to end.

  • Syntax

    e_search('field_name==exact_match_string')
  • Examples

    • e_search('author== "john smith"'): The author field exactly matches john smith.

    • e_search('status== ac*tive?good'): Combine with wildcards.

Regular expression match

Regular expressions enable more powerful pattern matching than wildcards.

  • Syntax

    e_search('field_name~=regular_expression_string')
    Note
    • Use the r prefix to prevent backslash escaping in regular expressions.

    • Performs a partial match by default. Add ^ at the beginning and $ at the end for a full match.

  • Examples

    • e_search('status~= "\d+"'): The status field contains digits.

    • e_search('status~= "^\d+$"'): The status field is a number.

Numeric comparison

Compare field values numerically.

  • Direct numeric comparison

    Use the operators >, >=, =, <, and <= for comparison.

    e_search('age >= 18')  #  >=18
    e_search('age > 18')   #  > 18
    e_search('age = 18')   #  = 18
    e_search('age <= 18')  #  <=18
    e_search('age < 18')   #  < 18
  • Numeric range comparison

    Use closed intervals. An asterisk (*) indicates an unbounded side.

    e_search('count: [100, 200]') # >=100 and  <=200
    e_search('count: [*, 200]')   # <=200
    e_search('count: [200, *]')   # >=200

Logical operators

Combine searches with logical operators. Use parentheses () to group conditions.

Operator

Keyword

AND

and, AND, and &&. Case-insensitive.

OR

or, OR, etc. Case-insensitive.

NOT

not, NOT, and !. Case-insensitive.

Examples:

e_search('abc OR xyz')    # Logical operators are case-insensitive
e_search('abc and (xyz or zzz)')
e_search('abc and not (xyz and not zzz)')
e_search('abc && xyz')    # and
e_search('abc || xyz')    # or
e_search('abc || !xyz')   # or not

Logical operators in field-level substring matching:

e_search('field: (abc OR xyz)')      # The field contains abc or xyz
e_search('field: (abc OR not xyz)')  # The field contains abc or does not contain xyz
e_search('field: (abc && !xyz)')     # The field contains abc and does not contain xyz

Field evaluation

Check whether a field exists or meets specific conditions.

  • e_search('field: *'): The field exists.

  • e_search('not field:*'): The field does not exist.

  • e_search('not field:""'): The field does not exist.

  • e_search('field: "?"'): The field exists and its value is not empty.

  • e_search('field==""'): The field exists and its value is empty.

  • e_search('field~=".+"'): The field exists and its value is not empty.

  • e_search('not field~=".+"'): The field does not exist or its value is empty.

  • e_search('not field==""'): The field does not exist or its value is not empty.