I am trying to write a search query as part of our alerting. The intention is that if search results come from a certain container (kubernetes.container_name) e.g. service1, service2 or service3 then I should set a priority of 2.
The problem is that the service names have a version number appended to them e.g. service1-v1-0 or service3-v3-0b to give two such examples.
My intention was to use a combination of 'if' and 'match' with a wildcard to achieve this but it doesn't seem to work. The reason for me using this was that the start of the container_name would remain the same and as the version numbers change the search that I'm attempting to write should be future proofed.
| eval priority = if(match(kubernetes.container_name, "^service1-v*|^service2-v*|^service3*"), "2", "Not set")
However these are returning "Not set" even when the expected kubernetes.container_name is used.
Can someone help me understand why this isn't working, how to fix and whether there might be a better way of doing this?
Thanks!
The match function uses regex so the wildcards are different - try this
| eval priority = if(match(kubernetes.container_name, "^service1-v.*|^service2-v.*|^service3.*"), "2", "Not set")