String Operators
A list of string operators supported by Cribl Search.
String operators manipulate and transform text, enabling actions like concatenation, trimming, replacement, or extraction.
Note that these operators’ support, and their case-sensitivity, vary depending on their parent search operators and filter operators. For exact details, see these pages:
We use the following abbreviations in the table below:
- Operators with a
_cssuffix are case-sensitive. - RHS = right-hand side of the expression.
- LHS = left-hand side of the expression.
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
contains | RHS occurs as a subsequence of LHS | No | "FabriKam" contains "BRik" |
!contains | RHS doesn’t occur in LHS | No | "Fabrikam" !contains "xyz" |
contains_cs | RHS occurs as a subsequence of LHS | Yes | "FabriKam" contains_cs "Kam" |
!contains_cs | RHS doesn’t occur in LHS | Yes | "Fabrikam" !contains_cs "Kam" |
endswith | RHS is a closing subsequence of LHS | No | "Fabrikam" endswith "Kam" |
!endswith | RHS isn’t a closing subsequence of LHS | No | "Fabrikam" !endswith "brik" |
endswith_cs | RHS is a closing subsequence of LHS | Yes | "Fabrikam" endswith_cs "kam" |
!endswith_cs | RHS isn’t a closing subsequence of LHS | Yes | "Fabrikam" !endswith_cs "brik" |
has | Right-hand-side (RHS) is a whole term in left-hand-side (LHS) | No | "North America" has "america" |
!has | RHS isn’t a full term in LHS | No | "North America" !has "amer" |
has_all | Same as has but works on all of the events | No | "North and South America" has_all("south", "north") |
!has_all | Not all of the RHS terms are present in LHS | No | "North and South America" !has_all("south", "east") |
has_any | Same as has but works on any of the events | No | "North America" has_any("south", "north") |
!has_any | None of the RHS terms are present in LHS | No | "North and South America" !has_any("east", "west") |
has_cs | RHS is a whole term in LHS | Yes | "North America" has_cs "America" |
!has_cs | RHS isn’t a full term in LHS | Yes | "North America" !has_cs "amer" |
hasprefix | RHS is a term prefix in LHS | No | "North America" hasprefix "ame" |
!hasprefix | RHS isn’t a term prefix in LHS | No | "North America" !hasprefix "mer" |
hasprefix_cs | RHS is a term prefix in LHS | Yes | "North America" hasprefix_cs "Ame" |
!hasprefix_cs | RHS isn’t a term prefix in LHS | Yes | "North America" !hasprefix_cs "CA" |
hassuffix | RHS is a term suffix in LHS | No | "North America" hassuffix "ica" |
!hassuffix | RHS isn’t a term suffix in LHS | No | "North America" !hassuffix "americ" |
hassuffix_cs | RHS is a term suffix in LHS | Yes | "North America" hassuffix_cs "ica" |
!hassuffix_cs | RHS isn’t a term suffix in LHS | Yes | "North America" !hassuffix_cs "icA" |
in | Equal to any of the events | Yes | "abc" in ("123", "345", "abc") |
!in | Not equal to any of the events | Yes | "bca" !in ("123", "345", "abc") |
in~ | Equal to any of the events | No | "Abc" in~ ("123", "345", "abc") |
!in~ | Not equal to any of the events | No | "bCa" !in~ ("123", "345", "ABC") |
matches regex | LHS contains a match for RHS | Yes | "Fabrikam" matches regex "b.*k" |
startswith | RHS is an initial subsequence of LHS | No | "Fabrikam" startswith "fab" |
!startswith | RHS isn’t an initial subsequence of LHS | No | "Fabrikam" !startswith "kam" |
startswith_cs | RHS is an initial subsequence of LHS | Yes | "Fabrikam" startswith_cs "Fab" |
!startswith_cs | RHS isn’t an initial subsequence of LHS | Yes | "Fabrikam" !startswith_cs "fab" |