"matches" operator not working when the pattern repeats inside the string?
Hi all,
I'm trying to figure out if this is expected behavior. My query looks like:
(...filter logs...)
| parse regex "cache=......"
| where cache == "MISS, HIT, HIT"
| where cache matches "*HIT"
But it matches nothing! It looks like the operator matches the first "HIT", and then because there's more in the string, decides "no match". For example, if I change it to
......
| where cache matches "*T, HIT"
Then it matches.
Is this a bug?
-
I THINK it might be a bug, yes. I was able to verify this behavior on my end.
As a workaround, you can use the following instead of the matches operator, since parsing data also acts as a filter when the NODROP clause isn't used.
| parse regex field=cache "(?<cache>.*HIT)"
I hope this helps.
Please sign in to leave a comment.
Comments
1 comment