Fuzzy search all fields
Problem / Use caseβ
Need to locate a string in logs when youβre not sure which key holds it.
Query / Solutionβ
source logs
| filter $d ~~ 'eu-west'
Searches all top-level fields for the substring eu-west and returns matching events.
Equivalent queryβ
An equivalent way of making the same query is to use wildfind.
source logs
| wildfind 'eu-west'
Expected Outputβ
{
"region": "eu-west-1a",
"message": "Instance deployed"
}
Any document that contains the term anywhere among its root-level keys surfaces in the result set.
note
Not shown here is the rest of the document.
Variationsβ
-
Combine with other filters
source logs| $d ~~ 'timeout'| filter $m.severity == 'Error'
Alternate queryβ
source logs
| wildfind 'timeout'
| filter $m.severity == 'Error'
-
Anchor to whole words Use regex boundaries:
$d ~~ /\beu-west\b/ -
Wild-text vs. field-specific Prefer
$d ~~when you truly donβt know the location; otherwise usefield ~ 'text'for better performance.
TL;DRβ
$d ~~ '<text>' or wildfind '<text>'is for free-text hunting across every root fieldβquick, broad, and perfect when the key is a mystery.