I was trying to do a phrase search to find some keywords in the $LogEvent field. While doing this I tried putting up regular expressions between the single quotation marks. This was yielding results but they were incorrect.
for an Example, if in web access logs, if I want to search for 400 status code, there are two different occurrences of the term ‘400’ one is the actual status code, the other being some random string. In such a case, I used the below query to pull only the logs of my choice, which is completing successfully but giving wrong output.
_fetch * from event where $DevSrcIP=A.B.C.D AND $LogEvent='400\s\"CONNECT\s' limit 10
My question is, is it valid to use regular expressions in the search query? if no, what is happening to my search when I am using the above search. and if we can use regex in DQL, how do I use it?
P.S. The above is just an example, and I am aware, I can get it done by querying parsed fields.