Query string syntax
Query string syntax filters data and simplifies conditional logic in SLS DSL.
Quick reference
Supported functions:
|
Type |
Function |
Scenario |
|
Event check function |
Checks whether event field values meet specific conditions. |
|
|
Resource function |
Pulls tabular data from a Logstore. Supports query-string-based whitelists and blacklists for filtering. |
|
|
Pulls tabular data from RDS MySQL. Supports query-string-based whitelists and blacklists for filtering. |
Field search vs. full-text search
Feature comparison:
|
Feature |
Field search |
Full-text search |
|
Substring search |
Supported |
Supported |
|
Wildcard search using |
Supported |
Supported |
|
Exact match search |
Supported |
Not supported |
|
Regular expression search |
Supported |
Not supported |
|
Numeric range search |
Supported |
Not supported |
|
Numeric comparison |
Supported |
Not supported |
|
Logical operators: and, or, not, and combinations |
Supported |
Supported |
Character escaping
Escape special characters in query strings, such as asterisks (*) and backslashes (\).
-
Field name escaping
Do not enclose field names in double quotation marks. Escape special characters with a backslash (\):
-
\*\(1+1\)\?: abc: Backslash-escaped special characters. -
__tag__\:__container_name__: abc: Colon escaped with a backslash. -
chinese_field: abc: Chinese characters need no escaping. -
"content": abc: Invalid. Do not enclose field names in double quotation marks.
-
-
Search value escaping
-
Escape double quotation marks and backslashes within values using a backslash (\). Example:
content: "abc\"xy\\z".NoteUse single quotation marks for the outer string and double quotation marks for the inner search value.
e_search("domain: '/url/test.jsp'")is incorrect. The correct format ise_search('domain: "/url/test.jsp"'). -
Escape asterisks (*) and question marks (?) with a backslash (\) to prevent wildcard matching.
-
Strings containing only Chinese characters, letters, digits, underscores (_), hyphens (-), asterisks (*), or question marks (?) need no double quotation marks. Otherwise, enclose the string in double quotation marks:
-
status: "\*\?()[]:=": Enclosed in double quotation marks. Only the asterisk (*) and question mark (?) require backslash escaping. -
content: ()[]:=: Invalid. Must be enclosed in double quotation marks. -
status: active\*testandstatus: active\?test: Only the wildcard character needs escaping. No double quotation marks required.
-
-
Substring search
-
Full text search
Search for a substring across all fields.
-
Syntax
e_search('substring') -
Examples
-
e_search('"error"'): Substring search. -
e_search('"active error"'): Substring search with a space in the term. -
e_search('active error'): Multiple substrings combined with OR by default.
-
-
-
Field search
Search for a substring in a specific field.
-
Syntax
e_search('...') -
Examples
-
e_search('status: active'): Substring search. -
e_search('author: "john smith"'): Substring search with a space in the value.
Notee_search('field: active error')is equivalent tofield:active OR "error". This searches for `active` in the field field or performs a full text search for `error`. -
-
Wildcard search
An asterisk (*) matches zero or more characters. A question mark (?) matches exactly one character, including multibyte characters such as Chinese characters.
-
Full text search
Search for a substring across all fields.
-
Syntax
e_search('substring') -
Examples
-
e_search('active*test'): Matches zero or more characters between "active" and "test". -
e_search('occurs*error'): Matchesoccurs error,occurs critical error, and similar patterns. -
e_search('active?good'): Matches exactly one character between "active" and "good". -
e_search('ac*tive?good'): Combines both wildcards. -
e_search('ac*tive??go*od'): Multiple wildcards in one query.
-
-
-
Field search
Search for a substring in a specific field.
-
Syntax
e_search('field_name:substring') -
Examples
-
e_search('status: active*test'): Matches zero or more characters. -
e_search('status: active?good'): Matches a single character.
-
-
Exact match
Exact match requires the entire field value to match from start to end.
-
Syntax
e_search('field_name==exact_match_string') -
Examples
-
e_search('author== "john smith"'): The author field exactly matches john smith. -
e_search('status== ac*tive?good'): Combine with wildcards.
-
Regular expression match
Regular expressions enable more powerful pattern matching than wildcards.
-
Syntax
e_search('field_name~=regular_expression_string')Note-
Use the
rprefix to prevent backslash escaping in regular expressions. -
Performs a partial match by default. Add
^at the beginning and$at the end for a full match.
-
-
Examples
-
e_search('status~= "\d+"'): The status field contains digits. -
e_search('status~= "^\d+$"'): The status field is a number.
-
Numeric comparison
Compare field values numerically.
-
Direct numeric comparison
Use the operators
>,>=,=,<, and<=for comparison.e_search('age >= 18') # >=18 e_search('age > 18') # > 18 e_search('age = 18') # = 18 e_search('age <= 18') # <=18 e_search('age < 18') # < 18 -
Numeric range comparison
Use closed intervals. An asterisk (*) indicates an unbounded side.
e_search('count: [100, 200]') # >=100 and <=200 e_search('count: [*, 200]') # <=200 e_search('count: [200, *]') # >=200
Logical operators
Combine searches with logical operators. Use parentheses () to group conditions.
|
Operator |
Keyword |
|
AND |
|
|
OR |
|
|
NOT |
|
Examples:
e_search('abc OR xyz') # Logical operators are case-insensitive
e_search('abc and (xyz or zzz)')
e_search('abc and not (xyz and not zzz)')
e_search('abc && xyz') # and
e_search('abc || xyz') # or
e_search('abc || !xyz') # or not
Logical operators in field-level substring matching:
e_search('field: (abc OR xyz)') # The field contains abc or xyz
e_search('field: (abc OR not xyz)') # The field contains abc or does not contain xyz
e_search('field: (abc && !xyz)') # The field contains abc and does not contain xyz
Field evaluation
Check whether a field exists or meets specific conditions.
-
e_search('field: *'): The field exists. -
e_search('not field:*'): The field does not exist. -
e_search('not field:""'): The field does not exist. -
e_search('field: "?"'): The field exists and its value is not empty. -
e_search('field==""'): The field exists and its value is empty. -
e_search('field~=".+"'): The field exists and its value is not empty. -
e_search('not field~=".+"'): The field does not exist or its value is empty. -
e_search('not field==""'): The field does not exist or its value is not empty.