DQL matcher in business events
powered by Grail
With Dynatrace on Grail, you can use the following Dynatrace Query Language (DQL) functions and logical operators in matchers for business event processing:
Functions
matchesPhrase
Filters records containing a specified phrase. Returns only matching records. This function is case insensitive for ASCII characters, it works with multi-value attributes (matching any of the values), and the asterisk character (*
) is a wildcard only referring to a single term, not the whole field value.
-
Validation
ThematchesPhrase
function performs case-insensitive contains for the whole query string.
For found results, additional validation takes place:- if the query starts with a word character, the preceding character must be a non-word character.
- if the query ends with a word character, the succeeding character must be a non-word character.
- if the query starts with an asterisk, no validation of the preceding character is performed.
- if the query ends with an asterisk, no validation of the succeeding character is performed.
-
Syntax
matchesPhrase(<fieldName>, <value>)
-
Example
In this example, you add a filter that matches log records that containerror
phrase in their content.matchesPhrase(content, "error")
matchesValue
Searches the records for a specific value in a given attribute. Returns only matching records.
-
Syntax
matchesValue(<fieldName>, <value>)
-
Example
In this example, you add a filter record whereprocess.technology
attribute containsnginx
value.matchesValue(process.technology, "nginx")
isNotNull
Tests if a value is not NULL.
-
Syntax
isNotNull(<value>)
-
Example
In this example, we filter (select) data where thehost.name
field contains a value.isNotNull(`host.name`)
timestamp content event.type host.name 2022-08-03 11:27:19
2022-08-03 09:27:19.836 [QueueProcessor] RemoteReporter...
LOG
HOST-AF-710319
isNull
Tests if a value is NULL.
-
Syntax
isNull(<value>)
-
Example
In this example, we filter (select) data where thehost.name
field doesn't contain a value.filter isNull(`host.name`)
timestamp content event.type host.name 2022-08-03 12:53:26
2022-08-03T10:52:31Z localhost haproxy[12529]: 192.168.19.100:38440
LOG
Operators
Logical operators can be used to connect two or more expressions. Check out Logical or equality operators to find out more about the behavior of logical operators in DQL.
OR
Logical addition.
-
Syntax
<expression_1> or <expression_2>
-
Example
In this example, you add a matcher to filter records where the content contains eithertimestamp
phrase ortrigger
phrase.matchesPhrase(content, "timestamp") or matchesPhrase(content, "trigger")
AND
Logical multiplication.
-
Syntax
<expression_1> and <expression_2>
-
Example
In this example, you add a matcher to filter records where the content containstimestamp
phrase andtrigger
phrase.matchesPhrase(content, "timestamp") and matchesPhrase(content, "trigger")
NOT
Logical negation.
-
Syntax
not <expression>
-
Example
In this example, you add a matcher to filter records where the content doesn't containtimestamp
phrase.not matchesPhrase(content, "timestamp")
Strict equality
Logical operator (==
) indicating an exact match.
Data types need to be identical. However, if the decimal value is 0
, floating numbers can be compared with integer data. For example, 1==1.0
For strings, the search is case-sensitive.
Contrary to matchesValue
function, strict equality
operator performs case-sensitive comparison, doesn't support wildcards and doesn't operate on elements being part of multi-value attributes.
-
Syntax
<expression1> == <expression2>
-
Examples
Examples of using the strict equality operator.
Part of the input event Processing query Match result Description { attribute="Dynatrace" }
attribute == "Dynatrace"
The attribute is of the string type and has the same value.
{ attribute="Dynatrace" }
attribute == "dynatrace"
The strict equality is case-sensitive.
{ attribute="1" }
attribute == 1
The attributes have different data types
{ attribute="1.0" }
attribute == 1
Floating numbers can be compared to integer values if their decimals equal 0
{ attribute=["Java", "DOCKER", "k8s"] }
attribute == "Java"
The attributes have different data types.
Grouping
You can create conditional grouping with brackets ( )
.
matchesValue(process.technology, "nginx") and ( matchesPhrase(content, "error") or matchesPhrase(content, "warn") )
Reuse expressions
All the matcher expressions used in either log events, metrics, processing or bucket configurations are valid DQL. That means you can also use these expressions together with DQL filter command for example in the log viewer.