DQL matcher in business events

With Dynatrace on Grail, you can use the following Dynatrace Query Language (DQL) functions and logical operators in matchers for business event processing:

Functions

matchesPhrase

Filters records containing a specified phrase. Returns only matching records. This function is case insensitive for ASCII characters, it works with multi-value attributes (matching any of the values), and the asterisk character (*) is a wildcard only referring to a single term, not the whole field value.

Validation
The matchesPhrase function performs case-insensitive contains for the whole query string.
For found results, additional validation takes place:
- if the query starts with a word character, the preceding character must be a non-word character.
- if the query ends with a word character, the succeeding character must be a non-word character.
- if the query starts with an asterisk, no validation of the preceding character is performed.
- if the query ends with an asterisk, no validation of the succeeding character is performed.
Syntax
matchesPhrase(<fieldName>, <value>)

Example
In this example, you add a filter that matches log records that contain error phrase in their content.

dql
matchesPhrase(content, "error")

Examples of event processing using DQL matchesPhrase function.

Part of the input event	Processing query	Description
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "192.168.0.1")`	Exact match by single term.
`attribute="User 'käärmanü' failed to login from 192.168.0.123"`	`matchesPhrase(attribute, "192.168.0.1")`	Non-word character is expected after character `1`.
`attribute="User 'käärmanü' failed to login from 192.168.0.123"`	`matchesPhrase(attribute, "192.168.0.1*")`	The query would match all IPs with the last octet between `100` and `199`.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "failed to login")`	Exact phrase match.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "failed to log")`	`log` is not a full word, non-word character is expected after `log`.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "failed to log*")`	If the query ends with a wildcard character, the validation of the succeeding character is skipped.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "ed to login")`	`ed` is not a full word, the preceding character `l` is a part of the word.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "*ed to login")`	If the query starts with a wildcard character, the validation of the preceding character is skipped.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "ed to log")`	If the query starts and ends with a wildcard character, the validation of the preceding and succeeding characters is skipped.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "käärmanü failed")`	There should be an apostrophe (`'`) character between `käärmanü` and `failed`.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, "rmanü' failed")`	Non-ASCII character `ä` is treated as non-word character.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesPhrase(attribute, " 'käärmanü' failed")`	If the query starts with non-word character, the validation of the preceding character is skipped.
`attribute="Failed to assign monitoring configuration for com.dynatrace.extension"`	`matchesPhrase(attribute, "configuration for")`	There is a space in the query and a tabulator in the attribute value.
`attribute="Failed to assign monitoring configuration for com.dynatrace.extension"`	`matchesPhrase(attribute, "failed to")`	There is a single space in the query and a double space in the attribute value
`attribute="Failed to assign monitoring configuration for com.dynatrace.extension"`	`matchesPhrase(attribute, "failed to")`	It is possible to search with multiple spaces.
`attribute=["Gdansk, Poland", "Linz, Austria", "Klagenfurt, Austria"]`	`matchesPhrase(attribute, "Austria")`	The function handles multi-value attributes in "any-match" manner, in this case `Austria` is matched in second and third value.
`attribute=["Gdansk, Poland", "Linz, Austria", "Klagenfurt, Austria"]`	`matchesPhrase(attribute, "Pol*")`	Wildcard can be used also when dealing with multi-value attributes.

matchesValue

Searches the records for a specific value in a given attribute. Returns only matching records.

Syntax
matchesValue(<fieldName>, <value>)

Example
In this example, you add a filter record where process.technology attribute contains nginx value.

dql
matchesValue(process.technology, "nginx")

Examples of event processing using DQL matchesValue function.

Part of the input event	Processing query	Description
`attribute="Dynatrace"`	`matchesValue(attribute, "dynaTrace")`	Case insensitive equality.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesValue(attribute, "192.168.0.1")`	The whole attribute value is considered.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesValue(attribute, "*192.168.0.1")`	The value ends with `192.168.0.1`.
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesValue(attribute, "user*")`	The value starts with `user` (case-insensitively).
`attribute="User 'käärmanü' failed to login from 192.168.0.1"`	`matchesValue(attribute, "failed to log")`	The value contains the string `failed to log`.
`attribute="Österreich"`	`matchesValue(attribute, "österreich")`	Case insensitive only for ASCII characters.
`attribute="Österreich"`	`matchesValue(attribute, "Österreich")`	Exact match.
`attribute=["Java", "DOCKER", "k8s"]`	`matchesValue(attribute, "docker")`	The function handles multi-value attributes in "any-match" manner, in this case, `docker` is matched in the second value.
`attribute=["Java11", "java17"]`	`matchesValue(attribute, "java")`	None of the values is equal to string java.
`attribute=["Java11", "java17"]`	`matchesValue(attribute, "java*")`	Both values start with a string `java`.

isNotNull

Tests if a value is not NULL.

Syntax
isNotNull(<value>)

Example
In this example, we filter (select) data where the host.name field contains a value.

dql
isNotNull(`host.name`)

timestamp	content	event.type	host.name
`2022-08-03 11:27:19`	`2022-08-03 09:27:19.836 [QueueProcessor] RemoteReporter...`	`LOG`	`HOST-AF-710319`

Examples of event processing using DQL isNotNull function.

Part of the input event	Processing query	Description
plaintext `{ attribute="Dynatrace" }`	`isNotNull(other)`	The `other` attribute does not exists
plaintext `{ attribute="Dynatrace" }`	`isNotNull(attribute)`	The `attribute` has non-null value.
plaintext `{ attribute=null }`	`isNotNull(attribute)`	The `attribute` has null value.

isNull

Tests if a value is NULL.

Syntax
isNull(<value>)

Example
In this example, we filter (select) data where the host.name field doesn't contain a value.

dql
filter isNull(`host.name`)

timestamp	content	event.type	host.name
`2022-08-03 12:53:26`	`2022-08-03T10:52:31Z localhost haproxy[12529]: 192.168.19.100:38440`	`LOG`

Examples of event processing using DQL isNull function.

Part of the input event	Processing query	Description
plaintext `{ attribute="Dynatrace" }`	`isNull(other)`	The `other` attribute does not exists.
plaintext `{ attribute="Dynatrace" }`	`isNull(attribute)`	The `attribute` has non-null value.
plaintext `{ attribute=null }`	`isNull(attribute)`	The `attribute` has null value.

Operators

Logical operators can be used to connect two or more expressions.

OR

Logical addition.

Syntax
<expression_1> or <expression_2>
Example
In this example, you add a matcher to filter records where the content contains either timestamp phrase or trigger phrase.
```
dql
matchesPhrase(content, "timestamp") or matchesPhrase(content, "trigger")
```

AND

Logical multiplication.

Syntax
<expression_1> and <expression_2>
Example
In this example, you add a matcher to filter records where the content contains timestamp phrase and trigger phrase.
```
dql
matchesPhrase(content, "timestamp") and matchesPhrase(content, "trigger")
```

NOT

Logical negation.

Syntax
not <expression>
Example
In this example, you add a matcher to filter records where the content doesn't contain timestamp phrase.
```
dql
not matchesPhrase(content, "timestamp")
```

Strict equality

Logical operator (==) indicating an exact match.

Data types need to be identical. However, if the decimal value is 0, floating numbers can be compared with integer data. For example, 1==1.0
For strings, the search is case-sensitive.

Contrary to matchesValue function, strict equality operator performs case-sensitive comparison, doesn't support wildcards and doesn't operate on elements being part of multi-value attributes.

Syntax
<expression1> == <expression2>

Examples

Examples of using the strict equality operator.

Part of the input event	Processing query	Description
plaintext `{ attribute="Dynatrace" }`	`attribute == "Dynatrace"`	The attribute is of the string type and has the same value.
plaintext `{ attribute="Dynatrace" }`	`attribute == "dynatrace"`	The strict equality is case-sensitive.
plaintext `{ attribute="1" }`	`attribute == 1`	The attributes have different data types
plaintext `{ attribute="1.0" }`	`attribute == 1`	Floating numbers can be compared to integer values if their decimals equal 0
plaintext `{ attribute=["Java", "DOCKER", "k8s"] }`	`attribute == "Java"`	The attributes have different data types.

Grouping

You can create conditional grouping with brackets ( ).

dql
matchesValue(process.technology, "nginx") and ( matchesPhrase(content, "error") or matchesPhrase(content, "warn") )

Reuse expressions

All the matcher expressions used in either log events, metrics, processing or bucket configurations are valid DQL. That means you can also use these expressions together with DQL filter command for example in the log viewer.

filter matchesValue(process.technology, "nginx") and ( matchesPhrase(content, "error") or matchesPhrase(content, "warn") )