When searching for special characters in field values in Logpoint just pasting them in a regular Key = value
expression, can often result in searches not working as intended from the users perspective as the Logpoint search language will interpret the character differently from the intention.
For instance searching for fields with a star “*” character results in getting all results that has a value in that specific key, as Logpoint uses the star “*” as a wildcard character, which basically means “anything”.
key = * will result in all logs with a field called key
Instead of using they kay value pairs to search we can use the builtin command match to find any occurrences of the value that we are looking for. In this example we will search for the star “*” frequently referred to as wildcard.
We have some logs that have a field called policy in which we would like to find all occurrences of the character star “*” . To do this we first ensure that the policy field exists in the logs that we search by adding the following to our search:
policy = *
Next we want to use the command called match, which is a command that can be used with the process command eval. If we read on the docs portal (Plugins → Evaluation Process Plugin → Conditional and Comparison Functions) we can see that the match command takes a field and a regex and output a true or false to a field:
| process eval("identifier=match(X, regex)")
In above example:
- identifier is the field to which we will return the boolean value true or false. This can be any field name that is not currently in use e.g. identifier or has_star
- match is the command
- X is the field that we want to find the match in
- regex is where we copy our regex surrounded by single quotes ‘’
So with this in mind we just need to create our regex, which can be done with your favourite regex checker. copy a potential value and write the regex. In this case we wrote the following regex which basically says match any character including whitespace until matching a star character *, then match any character including whitespace after. This regex match the full field value if there is 1 or more stars “*” in it. .*\*.*
Now we just need to add it to our search and do a quick chart to structure our results a bit. The search will look like the following
"policy"="*"
| process eval("has_star=match(policy,'.*\*.*')")
| chart count() by policy, has_star
The search results can be seen for below:
From here a simple filter command can be used to filter on results with the star in the policy field by adding | filter has_star=true
The search can also be used to match other things that are not special characters, e.g. finding logs with a field that starts with A-E or 0-5.
