10 Oct 2023 06:36 PM - edited 10 Oct 2023 06:37 PM
Below is my query, which finds results. Note that both dt.kubernetes.event.message and event.name have the same value, which is "Back-off restarting failed container"
fetch events
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and contains(event.name, "restarting")
| fields timestamp, event.name, event.status, dt.kubernetes.event.message
| limit 1000
If I change contains to matchesPhrase there are no results. Why not? If I use matchesPhrase(event.name, "*restarting*") there are results, why do I have to use a wildcard for event.name but not for dt.kubernetes.event.message?
Solved! Go to Solution.
11 Oct 2023 09:31 AM - edited 11 Oct 2023 10:01 AM
Hello
Maybe in the event.name field, there is a non-word character succeeding the word "restarting" (eg. a dot or a comma) so that the matchesPhrase is not validated without the wildcard.
Hope this helps
11 Oct 2023 04:11 PM
If there was a dot or a common I'd see it. Added a == to make the problem even more clear. Note that "restarting" obviously starts and ends with a word character, and before and after it are non-word characters, so it meets the criteria for matchesPhrase. I'll be doing training with some people at my company and at this point I will be recommending they use contains and not matchesPhrase.
// this finds data:
fetch events
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and contains(event.name, "restarting")
| filter dt.kubernetes.event.message == event.name
// this does not find data (unless wildcards are added):
fetch events
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and matchesPhrase(event.name, "restarting")
| filter dt.kubernetes.event.message == event.name
You can run the above queries using the demo site and get the same responses. This is what the actual data looks like:
timestamp 10/11/2023, 8:03:28 AM event.name Back-off restarting failed container event.status ACTIVE dt.kubernetes.event.message Back-off restarting failed container
11 Oct 2023 05:03 PM
Unable to find documentation for "contains"...
12 Oct 2023 02:58 PM
Hi @GerrysR6
We have noticed that a bug was introduced when doing some special filtering operations (in your case filtering with matchesPhrase on event.name). The issue was already fixed and the fix will be rolled out with one of the next releases. For more details about the fix, please reach out to Tech Support
A workaround would be to use the lower function for event.name
fetch events
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and matchesPhrase(lower(event.name), "restarting")
| fields timestamp, event.name, event.status, dt.kubernetes.event.message
| limit 1000
Best,
Sini