match
info
These innovations work starting from version 5.3.1.
Description
Filters data from the source by field values from an external index. If OUTPUT or OUTPUTNEW is specified, the event will be enriched with the specified fields.
The command performs comparison of a specified field in the event and match-index. For match-index data, wildcard search is supported if the data contains wildcard characters * and ?.
Please note!
You should avoid using duplicate data in fields for the match-index.
Syntax
...| match <match-index-name> <match-field> [as <source-field>] [match-options] [ OUTPUT | OUTPUTNEW (<match-destfield> [as <event-destfield>] )... ]
Required arguments
| Parameter | Syntax | Description |
|---|---|---|
match-index-name | <string> | Index name for building match. |
match-field | <string> | Fields for building match subquery. |
Optional arguments match-options
| Parameter | Syntax | Default | Description |
|---|---|---|---|
packsize | packsize=<int> | 500 | Size of data block for processing. |
workers | workers=<int> | 8 | Number of threads for data processing. |
timefield | timefield=<field> | @timestamp | Name of the field storing the timestamp. |
earliest | earliest=<string> | Start timestamp for search. | |
latest | latest=<string> | End timestamp for search. |
Other optional arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
source-field | <string> | Name of the field in the main result for comparison with match-field. Used when match-field and source-field names do not match. | |
OUTPUT | OUTPUTNEW | OUTPUT | OUTPUTNEW | OUTPUT | OUTPUT indicator specifies that existing data in the source query field will be overwritten with data from match. OUTPUTNEW indicator specifies that data in the source query field will be overwritten if the field is not filled but there is data for this field in match. |
match-destfield | <string> | Name of the resulting field with data obtained from the lookup. |
Query examples
Example №1
source data
| match filter_data_index @timestamp packsize=2048
Example №2
source internal_audit*
| match audit_category_lookup audit_category packsize=2048 workers=32 OUTPUT audit_request_effective_user