Skip to content

Fuzzy search all fields

Problem / Use case

Need to locate a string in logs when you’re not sure which key holds it.

Query / Solution

source logs
| filter $d ~~ 'eu-west'

Searches all top-level fields for the substring eu-west and returns matching events.

Equivalent query

An equivalent way of making the same query is to use wildfind.

source logs
| wildfind 'eu-west'

Expected Output

{
  "region": "eu-west-1a",
  "message": "Instance deployed"
}

Any document that contains the term anywhere among its root-level keys surfaces in the result set.

Note

Not shown here is the rest of the document.

Variations

  • Combine with other filters
source logs
| $d ~~ 'timeout' 
| filter $m.severity == 'Error'

Alternate query

source logs
| wildfind 'timeout'
| filter $m.severity == 'Error'
  • Anchor to whole words Use regex boundaries:
$d ~~ /\beu-west\b/
  • Wild-text vs. field-specific Prefer $d ~~ when you truly don’t know the location; otherwise use field ~ 'text' for better performance.

TL;DR

$d ~~ '<text>' or wildfind '<text>'is for free-text hunting across every root field—quick, broad, and perfect when the key is a mystery.

Previous metadata vs. data field
Next Accessing fields with special characters
Home
User Guides
DataPrime
Integrations
OpenTelemetry
Developer Portal