Matches
Synopsis
Tests whether a field value contains a text pattern or matches a regular expression, then routes execution to on_success or on_failure processor chains based on the result.
Schema
- matches:
field: <ident>
text: <string>
value_field: <ident>
mode: <string>
case_sensitive: <boolean>
description: <text>
disabled: <boolean>
if: <script>
ignore_failure: <boolean>
ignore_missing: <boolean>
on_failure: <processor[]>
on_success: <processor[]>
tag: <string>
Configuration
| Field | Required | Default | Description |
|---|---|---|---|
field | Y | Field to test; must contain a string, []string, or []interface{} value | |
text | Y* | Literal text or template pattern to match against | |
value_field | Y* | Field whose string value is used as the match pattern | |
mode | N | contains | Match mode: contains (substring) or regex (regular expression) |
case_sensitive | N | false | When true, substring matching is case-sensitive; has no effect in regex mode |
description | N | Explanatory note | |
disabled | N | false | When true, processor is skipped |
if | N | Condition to activate processor | |
ignore_failure | N | false | See Handling Failures |
ignore_missing | N | false | When true and field does not exist, exit quietly |
on_failure | N | See Handling Failures | |
on_success | N | See Handling Success | |
tag | N | Identifier |
* = Either text or value_field must be specified, but not both.
Details
The processor resolves the match pattern first, then retrieves the value of field. If field holds a plain string, that string is tested. If field holds an array ([]string or []interface{}), the processor tests each element and succeeds as soon as any element matches.
Contains mode (default) uses strings.Contains with optional case folding. When case_sensitive is false (the default), both the field value and the pattern are lowercased before comparison. Setting case_sensitive: true requires an exact case match.
Regex mode compiles and caches the pattern. The cache avoids recompilation on repeated invocations. An invalid regex pattern produces an error rather than a no-match result.
The text field supports template syntax ({{{field_name}}}), allowing the pattern to be constructed dynamically from other fields in the log entry. value_field reads the pattern from another field directly, without template processing.
When a match is found, on_success processors run. When no match is found (ErrNoMatch), on_failure processors run without an error being recorded. When the processor itself fails (missing field, invalid regex, type error), the standard ignore_failure and ignore_missing rules apply, and on_failure processors run with the error.
The processor only accepts string-typed field values. A numeric field such as response_code: 404 produces a type error even if the pattern is "404". Convert numeric fields before using this processor.
To test a field value against a list of candidates rather than a single pattern, see Contains.
Examples
Substring Match
Checking if a user agent string contains a known platform identifier... | |
Match succeeds (case-insensitive by default), | |
Regex Match
Testing a source IP against a private network prefix using a regular expression... | |
IP matches the RFC 1918 prefix; | |
Array Field
Checking whether any tag in a string array contains a target value... | |
Processor iterates all array elements and succeeds on the first match... | |
Dynamic Pattern via value_field
Using a field value as the match pattern to compare two runtime values... | |
| |
Template Pattern
Building the match pattern from another field using template syntax... | |
Template resolves to | |
Missing Field Handling
Suppressing the error when the target field is absent... | |
| |