IsMatch

Learn about the IsMatch OTTL converter function.

  2 minute read  

Overview

The IsMatch converter checks if a string matches a regular expression pattern and returns a boolean value. It is the only valid OTTL function for regex matching and can be used in both OTTL statements and conditions (Filter Processor, Route node).

Syntax

IsMatch(value, pattern)

  • value: the string field to check (body, attributes["key"], or any string field)
  • pattern: the regular expression pattern to match against

Examples

Matching attributes in statements

Input

{
	"_type": "log",
	"body": "User authentication successful",
	"resource": {...},
	"attributes": {
		"email": "user@example.com",
		"phone": "555-123-4567",
		"ip_address": "192.168.1.100"
	}
}

Statement

set(attributes["is_valid_email"], IsMatch(attributes["email"], "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"))
set(attributes["is_valid_phone"], IsMatch(attributes["phone"], "^\\d{3}-\\d{3}-\\d{4}$"))
set(attributes["is_private_ip"], IsMatch(attributes["ip_address"], "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"))

Output

{
	"_type": "log",
	"body": "User authentication successful",
	"resource": {...},
	"attributes": {
		"email": "user@example.com",
		"phone": "555-123-4567",
		"ip_address": "192.168.1.100",
		"is_valid_email": true,
		"is_valid_phone": true,
		"is_private_ip": true
	}
}

Matching body content

Use IsMatch(body, ...) to match against the log body. The (?i) flag enables case-insensitive matching.

# Filter Processor: exclude logs containing "error" (case-insensitive)
processors:
- type: ottl_filter
  condition: IsMatch(body, "(?i)error")
  data_types:
  - log
  filter_mode: exclude

# Route node: route logs containing "error" or "fatal"
- path: error_logs
  condition: IsMatch(body, "(?i)(error|fatal)")
  exit_if_matched: true

Regex escaping in YAML

When using regex character classes like \d or \w in YAML, double the backslash so the OTTL engine receives the correct pattern.

YAML valueOTTL receivesMatches
"\\d+"\d+One or more digits
"\\."\.Literal dot
"^\\d{4}/\\d{2}/\\d{2}"^\d{4}/\d{2}/\d{2}Date in YYYY/MM/DD format
# Filter Processor: keep only logs starting with a date
processors:
- type: ottl_filter
  condition: IsMatch(body, "^\\d{4}/\\d{2}/\\d{2}")
  data_types:
  - log
  filter_mode: include

Dynamic arguments

The pattern argument can be read from a field instead of a literal string.

Input

{
	"_type": "log",
	"body": {
		"message": "ERROR: Connection to db-primary-west failed",
		"regex_field": "db-[a-z]+-[a-z]+"
	},
	"resource": {...},
	"attributes": {}
}

Statement

set(attributes["match_dynamic"], IsMatch(body["message"], body["regex_field"]))

Output

{
	"_type": "log",
	"body": {
		"message": "ERROR: Connection to db-primary-west failed",
		"regex_field": "db-[a-z]+-[a-z]+"
	},
	"resource": {...},
	"attributes": {
		"match_dynamic": true
	}
}

The regex pattern db-[a-z]+-[a-z]+ was read from body["regex_field"] and matched against the message, finding db-primary-west.