Full-Text Search Functions
The full-text search functions allow you to filter records based on keyword or pattern matches within one or more fields.
This page lists the full-text search functions supported in OpenObserve, along with their usage formats, descriptions, and examples.
str_match
Syntax: str_match(field, 'value')
Alias: match_field(field, 'value')
The alias is available in OpenObserve version 0.15.0 and later.
Description:
- Filters logs where the specified field contains the exact string value.
- The match is case-sensitive.
- Only logs that include the exact characters and casing specified will be returned.
Example:
This query filters logs from thedefault stream where the k8s_pod_name field contains the exact string main-openobserve-ingester-1. It does not match values such as Main-OpenObserve-Ingester-1, main-openobserve-ingester-0, or any case variation.
str_match_ignore_case
Syntax: str_match_ignore_case(field, 'value')
Alias: match_field_ignore_case(field, 'value')
The alias is available in OpenObserve version 0.15.0 and later.
Description:
- Filters logs where the specified field contains the string value.
- The match is case-insensitive.
- Logs are returned even if the casing of the value differs from what is specified in the query.
Example:
This query filters logs from thedefault stream where the k8s_pod_name field contains any casing variation of main-openobserve-ingester-1, such as MAIN-OPENOBSERVE-INGESTER-1, Main-OpenObserve-Ingester-1, or main-openobserve-ingester-1.
match_all
Syntax: match_all('value')
Description:
- Filters logs by searching for the keyword across all fields that have the Index Type set to Full Text Search in the stream settings.
- This function is case-insensitive and returns matches regardless of the keyword's casing.
Note
To enable support for fields indexed using the Inverted Index method, set the environment variable ZO_ENABLE_INVERTED_INDEX to true. Once enabled, you can configure the fields to use the Inverted Index by updating the stream settings in the user interface or through the setting API.
The match_all function searches through inverted indexed terms, which are internally converted to lowercase. Therefore, keyword searches using match_all are always case-insensitive.
Example:
This query returns all logs in thedefault stream where the keyword openobserve-querier appears in any of the full-text indexed fields. It matches all casing variations, such as OpenObserve-Querier or OPENOBSERVE-QUERIER.
re_match
Syntax: re_match(field, 'pattern')
Description:
- Filters logs by applying a regular expression to the specified field.
- The function returns records where the field value matches the given pattern.
- This function is useful for identifying complex patterns, partial matches, or multiple keywords in a single query.
You can use standard regular expression syntax as defined in the Regex Documentation.
Example:
This query returns logs from thedefault stream where the k8s_container_name field matches any of the strings openobserve-querier, controller, or nats. The match is case-sensitive.
To perform a case-insensitive search:
This query returns logs where thek8s_container_name field contains any casing variation of openobserve-querier, such as OpenObserve-Querier or OPENOBSERVE-QUERIER.
re_not_match
Syntax: re_not_match(field, 'pattern')
Description:
- Filters logs by applying a regular expression to the specified field and returns records that do not match the given pattern.
- This function is useful when you want to exclude specific patterns or values from your search results.
Example:
SELECT * FROM "default" WHERE re_not_match(k8s_container_name, 'openobserve-querier|controller|nats')
default stream where the k8s_container_name field does not match any of the values openobserve-querier, controller, or nats. The match is case-sensitive.
