Pattern Matching
Regex Matching
Section titled “Regex Matching”Use ~ to match a value against a regular expression, and !~ to negate the match:
message~"error.*timeout"path!~"^/health"| Operator | Meaning |
|---|---|
~ | Value matches regex pattern |
!~ | Value does not match regex pattern |
Regex Pattern Syntax
Section titled “Regex Pattern Syntax”The regex syntax depends on the target backend:
- ClickHouse — uses
match()function (RE2 syntax) - PostgreSQL — uses
~and!~operators (POSIX regex) - StarRocks — uses
regexpfunction - In-memory matcher — uses the host language’s regex engine (Go
regexp, Pythonre2, JSRegExp)
Quote the pattern when it contains spaces or special characters:
message~"connection (refused|reset)"host~"^prod-[0-9]+"Case-Insensitive Matching
Section titled “Case-Insensitive Matching”To perform case-insensitive regex matching, use the (?i) flag at the start of your pattern:
message~"(?i)error"level~"(?i)^(warn|error|fatal)$"The (?i) inline flag is a regex feature — support varies by backend:
| Backend | (?i) support | Notes |
|---|---|---|
| ClickHouse | Yes | RE2 syntax |
| PostgreSQL | Yes | POSIX regex |
| StarRocks | Yes | RE2 syntax |
| Go in-memory matcher | Yes | Go regexp (RE2) |
| Python in-memory matcher | Yes | google-re2 |
| JavaScript in-memory matcher | No | ECMAScript RegExp does not support (?i) inline flags |
For the JavaScript in-memory matcher, use a character-class approach instead to achieve case-insensitive matching:
message~"[eE][rR][rR][oO][rR]"Or, when targeting SQL backends only, (?i) works reliably across all three dialects.
Combine case-insensitive matching with negation to exclude patterns regardless of case:
message~"(?i)error" and message!~"(?i)warning"Wildcard Matching
Section titled “Wildcard Matching”Use * at the end of an unquoted value for glob-style prefix matching:
host=prod*service=api-*This matches any value that starts with the given prefix. Wildcards are only supported at the end of a value — *prod or pr*od are not supported.
Wildcard vs. Regex
Section titled “Wildcard vs. Regex”| Pattern | Syntax | Example |
|---|---|---|
| Wildcard (prefix) | key=value* | host=prod* |
| Regex (full) | key~"pattern" | host~"^prod-[0-9]+" |
Use wildcards for simple prefix matching. Use regex when you need more complex patterns.
Examples
Section titled “Examples”# Regex: messages containing "error" or "fail"message~"error|fail"
# Regex: paths starting with /api/v2path~"^/api/v2"
# Negated regex: exclude health check pathspath!~"^/health"
# Wildcard: hosts starting with "prod"host=prod*
# Combinedhost=prod* and message~"timeout.*" and path!~"^/health"