Operators used in log management filters and operators used in filters in Explore Logs do not have a one-to-one correspondence by name. However, you can select operators that produce similar results for both formats.

This difference is important when you use the Run in Explore Logs page menu item from the following tabs in the Log Management page:
  • Log Masking
  • Log Filtering
  • Log Forwarding
  • Cloud Forwarding
  • Index Partitions
For example, if you have a log management filter of matches *foo* and select the menu item Run in Explore Logs page, the Explore Logs query equates the log management filter to match regexp ^.*foo.*$, which might not match all the same log events.

Another example is matches foo, which when run on Explore Logs is treated as contains foo. Because the Explore Logs function also searches keyword queries, contains foo is likely to match more events than matches foo.

You can change the operators used by Explore Logs to address these differences.

  • Change the contains operator to matches regex.
  • Change occurrences of * from log management filters to .* and prefix filter terms with .*. For example, change the event filter expression matches *foo* to matches regex .*foo.* for Explore Logs.
  • For the does not match operator from event filters, you can use the matches regex operator with a regex look ahead value. For example, does not match *foo* is equivalent to matches regex .*(?!foo).*