cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is this a bug? Why does matchesPhrase fail and at the same time contains works?

GerrysR6
Visitor

Below is my query, which finds results. Note that both dt.kubernetes.event.message and event.name have the same value, which is "Back-off restarting failed container"

fetch events
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and contains(event.name, "restarting")
| fields timestamp, event.name, event.status, dt.kubernetes.event.message
| limit 1000

If I change contains to matchesPhrase there are no results. Why not? If I use matchesPhrase(event.name, "*restarting*") there are results, why do I have to use a wildcard for event.name but not for dt.kubernetes.event.message?

5 REPLIES 5

GerardJ
Helper

Hello
Maybe in the event.name field, there is a non-word character succeeding the word "restarting" (eg. a dot or a comma) so that the matchesPhrase is not validated without the wildcard.

GerardJ_0-1697012982204.png

Hope this helps

 

If there was a dot or a common I'd see it. Added a == to make the problem even more clear. Note that "restarting" obviously starts and ends with a word character, and before and after it are non-word characters, so it meets the criteria for matchesPhrase. I'll be doing training with some people at my company and at this point I will be recommending they use contains and not matchesPhrase.

 

// this finds data:

fetch events
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and contains(event.name, "restarting")

| filter dt.kubernetes.event.message == event.name

 

// this does not find data (unless wildcards are added):

fetch events 
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and matchesPhrase(event.name, "restarting")

| filter dt.kubernetes.event.message == event.name

 

 

You can run the above queries using the demo site and get the same responses. This is what the actual data looks like:

timestamp 10/11/2023, 8:03:28 AM event.name Back-off restarting failed  container event.status ACTIVE dt.kubernetes.event.message Back-off restarting failed container

 

Unable to find documentation for "contains"...

I found this in the DQL docs : DQL functions | Dynatrace Docs

GerardJ_0-1697093044263.png

 

sinisa_zubic
Dynatrace Champion
Dynatrace Champion

Hi @GerrysR6 

We have noticed that a bug was introduced when doing some special filtering operations (in your case filtering with matchesPhrase on event.name). The issue was already fixed and the fix will be rolled out with one of the next releases.  For more details about the fix, please reach out to Tech Support

 

A workaround would be to use the lower function for event.name

fetch events
| filter event.status != "CLOSED" and matchesPhrase(dt.kubernetes.event.message, "restarting") and matchesPhrase(lower(event.name), "restarting")
| fields timestamp, event.name, event.status, dt.kubernetes.event.message
| limit 1000

 

Best,
Sini

Featured Posts