Solved: Re: Searching for a match within an array of values

triptisharma · ‎24 Mar 2025

Dear Community Members,

I was looking to implement a log filter, and I was trying to filter the logs based on an array of variables chosen.

Ex ( tried this but it does not work) :

fetch logs
| filter matchesValue(log.source, "/opt/sa/log/core.trc")
| filter matchesPhrase(content , "failed to establish connection")
|filter matchesValue(content, array($IHost))

I want to match all logs which have individual matching entries of a failure to establish a connection basically I would like to do this

array of IHost ={"test.com","try.com","google.com"}

fetch logs
| filter matchesValue(log.source, "/opt/sa/log/core.trc")
| filter matchesPhrase(content , "failed to establish connection")
|filter matchesValue(content, "test.com") or matchesValue(content, "try.com") or matchesValue(content, "google.com")

What would be the best way to do this?

marco_irmer · ‎24 Mar 2025

I believe the in function will do what you are looking for.

triptisharma · ‎24 Mar 2025

I have tried the in clause but it did not work, unfortunately.

Here is an example of the log content

2025-03-22 04:38:51,366 -0400#INFO#com.sap#AccessControl connection checker# #SccEndpointValidator failed to establish connection to HTTPS://test.a4at.com:443
java.net.ConnectException: error 111 - Connection refused (Connection refused) (local port 40406 to address 10.99.123.123 (test.a4at.com), remote port 443 to address 10.99.8.55 (test.a4at.com))
at java.net.PlainSocketImpl.socketConnect(Native Method)

2025-03-22 04:38:51,366 -0400#INFO#com.sap#AccessControl connection checker# #SccEndpointValidator failed to establish connection to HTTPS://test.a4at.com:443
java.net.ConnectException: error 111 - Connection refused (Connection refused) (local port 40406 to address 10.99.123.123 (try.com), remote port 443 to address 10.99.8.55 (test.a4at.com))
at java.net.PlainSocketImpl.socketConnect(Native Method)

I have a dropdown variable (IHost) in a dashboard in which two values are chosen try.com,test.a4at.com

I wrote a query which used

fetch logs
| filter matchesValue(log.source, "/opt/sap/scc/log/scc_core.trc")
| filter matchesPhrase(content , "failed to establish connection")
|filter in(content, array($IHost))

And

| filter matchesValue(log.source, "/opt/sa/log/core.trc")
| filter matchesPhrase(content , "failed to establish connection")
|filter matchesValue(content, array($IHost))

Both of these didn't work . My apologies if I am missing something basic.

marco_irmer · ‎25 Mar 2025

The issue is that you are using the field 'content' within the in() function. This won't work because it's comparing the entire log entry ('content') to see if it matches one of your variable values exactly. You will need use the parse command to extract the host value into a new field using Dynatrace Pattern Language (DPL) and then use that field in place of 'content'.

The revised query would look something like this:

fetch logs
| filter matchesValue(log.source, "/opt/sap/scc/log/scc_core.trc")
| filter matchesPhrase(content , "failed to establish connection")
| parse content, "<DPL PATTERN HERE>"
| filter in(<field name here>, array($IHost))

You'll have to insert your own DPL pattern and then update the last filter line with the appropriate field name.

triptisharma · ‎25 Mar 2025

Thank you Marco! Let me try your suggestion and I will update here if it worked.

triptisharma · ‎25 Mar 2025

Thank you so much for your help @marco_irmer that worked for me.