15 Feb 2024 07:30 PM - edited 15 Feb 2024 07:34 PM
This fails:
fetch logs
| filter matchesPhrase(host.name, "carn") // fail
and matchesPhrase(log.source, "rmwfeapi")
and matchesPhrase(content, "Unable")
| fieldsKeep timestamp, host.name, content, log.source
This works:
fetch logs
| filter matchesPhrase(host.name, "carn*") // why is wildcard required?
and matchesPhrase(log.source, "rmwfeapi")
and matchesPhrase(content, "Unable") // this works!
| fieldsKeep timestamp, host.name, content, log.source
What is it about host.name that matchesPhrase doesn't work as expected? It can find "Unable" in the middle of content but it can't find "carn" at the beginning of host.name? Why not?
Solved! Go to Solution.
15 Feb 2024 07:40 PM
MatchPhrase should match the exact value you are querying.
So I am assuming your host name is not only carn, but carn'something'.
Can you confirm?
If you want to filter by hostname with just a piece of the name without using the wildcard, you can use the contains instead.
15 Feb 2024 07:52 PM
My message says "carn*" works and "carn" does not. If "carn" was the server name "carn" would work. I think this is a DQL bug.
15 Feb 2024 07:55 PM
That's not a bug, that's just how matchPhrase works:
It should match the phrase you are looking for. If you want to get a string piece only, you should use "contains" instead.
15 Feb 2024 08:13 PM
Please let someone from Dynatrace respond thanks.
15 Feb 2024 10:01 PM
because word boundaries count